Professional Documents
Culture Documents
CHAPTER 1
Question 1
Question 2
Question 3
Question 4
Question 5
Define the following terms: (ISCA class notes Pg no-31 & 32)
(ii) Countermeasure
Question 6
Briefly explain various risk management strategies. (ISCA class notes Pg no-33)
• Turn back
Question 7
Question 8
P3ICSO
HATKE QUESTIONS
Question 1
Question 2
Discuss some of the sample metrics for reviewing the process of evaluating and
assessing compliance with external laws & regulations and IT compliances with internal
policies
Question 1
(A) Describe the major benefits achieved through proper governance in an organization.
(ISCA class notes Pg no-10)
6) Providing stability
1) Value
2) Risk
3) Cost
4) Customer satisfaction
5) IT business- tune
6) Business wide
7) Compliance/ control
8) Agile
9) Optimal Utilization
Question 2
(A) What are the key governance practices that are required to implement GEIT in an
enterprise? (ISCA class notes Pg no-14)
(B) Discuss key management practices, which are needed to be implemented for
e aluati g hethe usi ess alue is de i ed f o IT i a o ga izatio .
Question 3
(A) Discuss the key management practices, which are required for aligning IT
strategy with enterprise strategy.(ISCA class notes Pg no-25)
1) Collect data
2) Analyze risk
4) Articulate risk
6) Respond to risk
(C) Describe key management practices for ensuring compliance with external
compliances as relevant to the enterprise.(ISCA class notes Pg no-38)
Question 4
i) Leadership
ii) Organizational Structure
iii) Processes
iv) Risks
v) Controls
vi) Performance Measurement/Monitoring
b)Discuss the areas, which should be reviewed by internal auditors as a part of the review
of Governance, Risk and Compliance.
1) Scope
2) Governance
4) Risk Management
5) Interpretation
vi) Risk assessment methodology; and vii) Risk action plan and Timely reassessment.
d) Discuss the key management practices for assessing and evaluating the system of
internal controls in an enterprise in detail.
The key management practices for assessing and evaluating the system of internal
controls in an enterprise are given as follows:
Question 1
Question 2
LABS
Question 3
Question 4
Question 5
Write short notes on the following:(ISCA class notes Pg no-77 & 79)
Question 6
What is an Expert System? Discuss some of the business implications of Expert Systems in
brief.(ISCA class notes Pg no-80)
Question 7
Question 8
Discuss some of the properties that potential applications should posses to qualify for
Expert System development.(ISCA class notes Pg no-81)
STRUCTURE ABCDE
Question 9
• I fo ation Systems help in making right decision at the right time i.e. just on time.
• A good I fo atio “ ste a help i ge e ati g innovative ideas for solving critical
problems.
Question 10
HATKE QUESTIONS
Question 1
Question 2
Question 3
Question 4
What do you understand by TPS? Briefly discuss the key activities involved in a TPS.(ISCA
class notes Pg no-61).
Question 1
Top le el ko de isio …
FILL HIGH
F) What is Decision Support System (DSS)? Explain the key characteristics of a DSS in
brief.(ISCA class notes Pg no-69)
Question 2
(C) Explain the components of a DSS in brief. (ISCA class notes Pg no-70)
(D)Components of EMCS
Question 3
Question 4
S3E
Question 1
Question 2
What are the key components of a good security policy? Explain in brief.
Question 3
Question 4
Question 5
What do you understand by Financial Controls? Explain major financial control techniques
in brief.(ISCA class notes Pg no-113)
ABCDIS4
Question 6
Question 7
Discuss the three processes of Access Control Mechanism, when a user requests
for resources.(ISCA class notes Pg no-136)
• Authe ti atio
• Authorization
Question 8
Question 9
Question 10
What is Cyber Fraud? Differentiate between pure cyber frauds and cyber enabled frauds
(ISCA class notes Pg no-141)
HATKE QUESTIONS
Question 1
The Information Security Policy of an organization has been defined and documented as
given below:
Discuss Information Security Policy and also identify the salient components that have not
been covered in the above policy.
An Information Security Policy addresses many issues such as disclosure, integrity and
availability concerns, who may access what information and in what manner, basis on
which access decision is made, maximized sharing versus least privilege, separation of
duties, who controls, who owns the information, and authority issues.
Issues to address: This policy does not need to be extremely extensive, but clearly state
senior management's commitment to information security, be under change and
version control and be signed by an appropriate senior manager. The policy should at
least address the following issues:
• reasons why information security is important to the organization, and its goals and
principles,
Separate those, who can run live programs e.g. operations department, from those
who can change programs e.g. programmers. This is required in order to ensure that
unauthorized programs are prevented from running.
Separate those, who can access the data e.g. data entry and the DBA, from those who
can run programs e.g. computer operators. This is required in order to ensure that
unauthorized data entry cannot take place.
Separate those, who can input data e.g. data entry, from those, who can reconcile or
approve data e.g. data authorization persons. This is required in order to ensure that
unauthorized data entry cannot take place.
Separate those, who can test programs e.g. users, quality assurance and security,
from those, who can develop programs e.g. application programmers. This is required
in order to ensure that unauthorized programs cannot be allowed to run.
Separate those, who can enter errors in a log e.g. data entry operator, who transfer
the data to an error log, from those who can correct the errors like the end user
departments. This is required in order to ensure that unauthorized data entry cannot
take place.
Separate those, who can enter data e.g. data entry personnel, from those who can
access the database e.g. the DBA. This is required in order to ensure that
unauthorized data entry or data modification cannot take place.
Question 3
Question 4
Explain some of the key ways to control remote and distributed data processing
applications in brief.
Remote and distributed data processing applications can be controlled in many ways.
Some of these are given as follows:
• Remote access to computer and data files through the network should be
implemented.
• Applications that can be remotely accessed via modems and other devices should be
controlled appropriately.
• Data transmission over remote locations should be controlled. The location which
sends data should attach needed control information that helps the receiving location to
verify the genuineness and integrity.
Question 1
1) Strategic plans
2) Business operations
3) Finances
1) Top secret
2) Highly confidential
3) Proprietary
4) Internal use
5) Public documents
Question 2
1) Accounting controls
2) Operational controls
3) Administrative controls
1) Preventive controls
3) Corrective controls
4) Compensatory controls
1) Environmental controls
4) IS operational controls
5) IS management controls
6) SDLC controls
Question 3
(A) Briefly explain major update controls with reference to database controls in brief. (ISCA
class notes Pg no-119)
(B) Briefly explain major report controls with reference to database controls in brief. (ISCA
class notes Pg no-119)
1) Standing data
4) Existence/Recovery controls
Question 4
Worm ne ghodepe…
Question 5
Discuss major dimensions under which the impact of cyber frauds on enterprises can be
viewed and impact or exposure of logical access control
• Fi a ial Loss
Question 6
a)What is Data I teg it ? E plai si atego ies of i teg it controls in brief(ISCA class
notes Pg no-121)
Question 1
Weak ccd
Question 2
Question 3
Question 4
1) Management Process
3) Strategy Process
Question 5
Write a short note on major activities that should be carried out in implementation. (ISCA
class notes Pg no-159)
Question 6
What are the major documents that should be the part of a Business Continuity
Management system? Explain in brief.(ISCA class notes Pg no-160)
Question 7
Write a short note on Business Impact Analysis. (ISCA class notes Pg no-161)
Question 8
The risk assessment is assessment of the disruption to critical activities, which are
supported by resources such as people, process, technology, information,
infrastructure supplies and stakeholders.
The enterprise should determine the threats and vulnerabilities of each resource,
and the impact that would have, in case it becomes a reality.
For ready reference Specific threats may be described as events or actions, which
could, at some point, cause an impact to the resources,
e.g. threats such as fire, flood, power failure, staff loss, staff absenteeism, computer
viruses and hardware failure.
Vulnerabilities might occur as weaknesses within the resources and can, at some
point be exploited by the threats, e.g. single points of failure, inadequacies in fire
protection, electrical resilience, staffing levels, IT security and IT resilience.
(iii) limit the impact of a disruption o the e te p ise s ke products and services.
Question 9
Discuss the maintenance tasks undertaken in the development of a BCP in brief. (ISCA class
notes Pg no-166)
• Dete i e the ownership and responsibility for maintaining the various BCP strategies
within the enterprise;
• Ide tif the BCP ai te a e t igge s to e su e that a o ga izatio al, ope atio al,
and structural changes are communicated to the personnel who are accountable for
ensuring that the plan remains up-to-date;
• I ple e t version control procedures to ensure that the plan is maintained up-to-
date.
Question 10
Question 11
HATKE QUESTIONS
Question 1
While developing a Business Continuity Plan, what are the key tasks that should be
o e ed i the se o d phase Vul e a ility Assessment and General definition of
‘e ui e e t ?(ISCA class notes Pg no-156)
• The Security Assessment will enable the project team to improve any existing
emergency plans and disaster prevention measures and to implement required
emergency plans and disaster prevention measures where none exist.
Question 2
Describe the methodology of developing a Business Continuity Plan. Also enumerate its
eight phases.(ISCA class notes Pg no-155)
(vi) Selecting business continuity teams that ensure the proper balance required for plan
development;
(vii) Developing a business continuity plan that is understandable, easy to use and
maintain; and
(viii) Defining how business continuity considerations must be integrated into on-
going business planning and system development processes in order that the plan
remains viable over time.
Question 3
A company has decided to outsource its recovery process to a third party site. What are
the issues that should be considered by the security administrators while drafting the
contract? (ISCA class notes Pg no-172)
• The number of organizations that will be allowed to use the site concurrently in the
event of a disaster;
• The priority to be given to concurrent users of the site in the event of a common
disaster;
• The facilities and services the site provider agrees to make available;
Question 1
(C)Explain the objectives of performing BCP tests while developing a business continuity
plan. (ISCA class notes Pg no-166)
(iii) There sources such as business processes, systems, personnel, facilities and data are
obtainable and operational to perform recovery processes.
(iv) The manual recovery procedures and IT backup system/s are current and can either
be operational or restored.
(v) The success or failure of the business continuity training program is monitored.
Question 2
1) Emergency plan
2) Back-up plan
3) Recovery plan
OR
1) Full back-up
2) Differential back-up
3) Incremental back-up
4) Mirror back-up
1) Cold site
2) Hot site
3) Warm site
4) Reciprocal agreement
Question 3
(B) What are the key aspects that should be verified during audit/self-assessment of an
e te p ise BCM p og a hile e ie i g BCM a a ge e ts? (ISCA class notes Pg no-167)
(i) All key products and services and their supporting critical activities and resources
have been identified a d i luded i the e te p ise s BCM strategy;
iii The e te p ise BCM competence and its BCM capability are effective and fit-for-
purpose and will permit management, command, control and coordination of an incident;
i The e te p ise s BCM solutions are effective, up-to-date and fit-for-purpose, and
appropriate to the level of risk faced by the enterprise;
The e te p ise s BCM maintenance and exercising programs have been effectively
implemented;
(vi) BCM strategies and plans incorporate improvements identified during incidents and
exercises and in the maintenance program;
(vii) The enterprise has an ongoing program for BCM training and awareness;
(viii) BCM procedures have been effectively communicated to relevant staff, and that
those staff understand their roles and responsibilities.
MAIN QUESTIONS
Question 1
Bring out the reasons as to why organizations fail to achieve their Systems Development
Objectives? (ISCA class notes Pg no-177)
Question 2
Discuss the key characteristics of Waterfall Model in brief. Also explain its major
weaknesses. (ISCA class notes Pg no-181)
Question 3
What is waterfall model of system development? Also discuss its major strengths. (ISCA
class notes Pg no-180)
Question 4
Question 5
Question 6
What is incremental model of system development? Also discuss its major strengths. (ISCA
class notes Pg no-184)
Question 8
Question 9
Question 10
What do you understand by agile model of software development? Also explain its major
strengths and weaknesses in brief.(ISCA class notes Pg no-187)
Question 11
Explain the key features of agile model (ISCA class notes Pg no-187)
Question 12
State and briefly explain the stages of System Development Life Cycle (SDLC).
Question 13
What are the possible advantages of SDLC from the perspective of IS Audit?
1) The IS auditor can have clear understanding of various phases of the SDLC on the
basis of the detailed documentation created during each phase of the SDLC.
2) The IS Auditor on the basis of his/her examination, can state in his/her report about
the compliance by the IS management with the procedures, if any, set by
management.
Question 14
What are the major aspects that need to be kept in mind while eliciting information to
delineate scope?
• While the i itiato of the project may be a member of the senior management, the
actual users may be from the operating levels in an organization. An understanding of
their profile helps in designing appropriate user interface features.
• It is also e essa to understand the impact of the solution on the organization- its
structure, roles and responsibilities. Solutions, which have a wide impact, are likely to be
met with greater resistance. ERP implementation in organizations is a classic example of
change management requirement. Organizations that have not been able to handle it
may have a very poor ERP implementation record with disastrous consequences.
Question 15
What do you understand by feasibility study? Explain various types of feasibility studies in
detail.(ISCA class notes Pg no-191)
Question 16
Discuss in detail, how the analysis of present system is made by the system analyst? Or A
Company is offering a wide range of products and services to its customers. It relies
heavily on its existing information system to provide up to date information. The
company wishes to enhance its existing system. You being an information system auditor,
suggest how the investigation of the present information system should be conducted so
that it can be further improved upon. (ISCA class notes Pg no-196)
DIDI KE HOME
Question 17
This is very important phase of software development, since any error in this phase
would effect all subsequent phase of development
During the requirement analysis phase of the traditional approach, the focus is on
determining user needs, studying the application area in depth, assessing the
strengths and weaknesses of the present system and reporting results to
management.
The aim of the requirement analysis is to thoroughly understand the user require-
ment and remove any inconsistencies and incompleteness in these requirements.
Major objectives of system requirements analysis phase in the SDLC are given as follows:
• To identify and consult stake owners to determine their expectations and resolve their
conflicts;
Question 18
Describe briefly four categories of major tools that are used for system
development.(ISCA class notes Pg no-199)
Question 19
U R RARE
Question 20
1. Checking Method
Be h a ki g p o le fo e do s p oposals
5) Testing Problems
Question 21
What is Unit Testing? Explain five categories of tests that a programmer typically
performs on a program unit. (ISCA class notes Pg no-219)
• Pa allel Tests
Question 22
Question 23
Question 24
Question 25
HATKE QUESTIONS
Question 1
The top management of company has decided to develop a computer information system
for its operations. Is it essential to conduct the feasibility study of system before
implementing it? If answer is yes, state the reasons. Also discuss three different
angles through which feasibility study of the system is to be conducted. (ISCA class notes
Pg no-192)
Question 2
If you are the Project Manager of a Software Company with the responsibility for
developing a break-through product, combining state of the art hardware and software;
will you opt for prototyping as a process model for a product meant for the
intensely competitive entertainment market?
Prototyping as a process model will be inappropriate and hence inadvisable for the
following reasons:
• P otot pi g requires user involvement. Here, users are consumers of the product who
are diffused and may not be inclined to join in.
• Prototyping requires significant time for experimenting. Since the product is meant for
the intensely competitive entertainment market, the project manager may not have that
much time to experiment, and the competitor may capture the market by entering the
market in advance.
Question 1
(A)Explain the factors to be considered while designing the output of the system.(ISCA
class notes Pg no-209)
FC ROAD PE JAYENGE
(B)Explain the factors to be considered while designing the input of the system.
FC ROAD PE JAYENGE
Question 2
(A) Explain various fact finding techniques used by system analyst for determining the
needs/ requirements of a system to be developed.
DIOQ
(B) Explain two primary methods, which are used for the analysis of the scope of a project
in SDLC (ISCA class notes Pg no-195)
Two primary methods, which are used for the analysis of the scope of a project in SDLC
are given as follows:
2) Conducting Interviews:
Written documents tell the analyst how the systems should operate, but they may
not include enough details to allow a decision to be made about the merits of a
systems proposal, nor do they present users' views about current operations.
To learn these details, analysts use interviews. Interviews allow analysts to know
more about the nature of the project request and the reasons for submitting it.
Question 3
(A) Explain different changeover strategies used for conversion from old system to new
system.(ISCA class notes Pg no-226)
Different changeover strategies used for conversion from old system to new system are
given as follows:
• Phased Changeover
(B)Discuss briefly, various activities that are involved for successful conversion with
respect to a computerized information system.(ISCA class notes Pg no-227)
• P o edu e o e sio
• File o e sio
• “ heduli g pe so el a d e uip e t
Question 1
What are the factors that influence an organization towards controls and audit of
computers? (ISCA class notes Pg.no-234)
Controls:-
5) Maintenance of Privacy
Question 2
Question 3
Dis uss the poi ts elati g to Legal Co side atio s a d Audit “ta da ds to e o side ed
by an IS auditor as a part of his/her preliminary review.
Question 4
Question 5
Application=s3p3
Question 6
CAT OBJECTIVE
Question 7
SADSE
Question 8
Explain three major ways by which audit trails can be used to support security
objectives.(ISCA class notes Pg.no-253)
DRP
Question 9
• Dual e o di g of data
• Pe iodi du pi g of data
Question 10
The six activities discussed below deal with system development controls in IT setup.
These are given as follows:
Question 11
Write short note on Data Communication Security with reference to Computer Centre
Security and Controls
Question 12
Write short note on Physical Security with reference to Computer Centre Security and
Controls
Physical
communication
Question 13
A) Major Exposures
There are two major exposures in the communication sub-system including Internet and
Intranet, which are given as follows:
1. Component Failure:
2. Subversive Threats:
Question 14
1) Risk Assessment:
2) Controls Assessment:
3) Review of Documents.
Question 15
1) Field Interrogation:. The following are some common types of field interrogation.
Various field checks used to ensure data integrity have been described below:
Question 16
Discuss major audit issues of operational layer with reference to application security
audit.(ISCA class notes Pg.no-272
Discuss major audit issues of Tactical Layer with reference to application security
audit.(ISCA class notes Pg.no-272)
Question 18
Write short note on Strategic Layer with reference to application security audit
HATKE QUESTIONS
Question 1
An important task for the auditor as a part of his/her preliminary evaluation is to gain a
good understanding of the technology environment and related control issues.Explain
major aspects that should be considered in this exercise.
Question 2
What are the key steps that can be followed for a risk-based approach to make an audit
plan? Explain in brief.
• Inventory the information systems in use in the organization and categorize them.
• Assess what risks affect these systems and the likelihood and severity of the impact on
the business.
• Based on the above assessment, decide the audit priority, resources, schedule
and frequency.
Question 3
Explain major risks relating to personal computers. Also explain the security measures
that could be exercised to overcome those risks.
Question 4
What are the major aspects that should be thoroughly examined by an IS Auditor during
the audit of Environmental Controls? Explain in brief.
Question 1
Dosa Idli
3) Systemic error
Question 2
(iii) Fieldwork
(iv) Analysis
(v) Reporting
(vi) Closure
Question 3
1) Run-to-run totals
2) Reasonableness verification
3) Edit checks
4) Field initialization
5) Exception reports
3) Spooling/Queuing
6) Retention controls
Question no 4
MAIN QUESTIONS
Question 1
Lajawab, Sunder,Susheel......
Question 2
Define the following terms with reference to Information Technology Act 2000: (i) Digital
signature(ISCA class notes Pg.no-278)
(ii) Electronic form: With reference to information, it means any information generated,
sent, received or stored in media, magnetic, optical, computer memory, microfilm,
computer generated micro fiche or similar device.
(iii) Key Pair: In an asymmetric cryptosystem, it means a private key and its
mathematically related public key, which are so related that the public key can verify a
digital signature created by the private key.
Question 3
Question 4
Dis uss the Use of Ele t o i ‘e o ds i Go e e t a d its age ies i the light of
Section6 of Information Technology Act 2000.
Question 5
Question 6
Question 7
Question 8
Section 69 gives powers to Central & State Governments to issue directions empowering
a Government agency to intercept, monitor or decrypt any information through or
in any computer if it is for important purposes as specified in the section. These include:
(1) the interest of the sovereignty or integrity of India, defense of India, security of the
State, friendly relations with foreign States or public order or for preventing incitement
to the commission of any cognizable offence relating to above or for investigation
of any offence,
(2) The Procedure and safeguards over such interception or monitoring or decryption,
shall be prescribed.
(3) The subscriber or intermediary or any person in charge of the computer resource
shall, when called upon by the agency, extend all facilities and technical assistance
Question 10
Dis uss Pe alt fo pu lishi g Ele t o i “ig atu e Ce tificate false in certain
pa ti ula s u de “e tio of I fo atio Te h olog A t .
Question 11
Question 12
(i) [Section 66B] Punishment for dishonestly receiving stolen computer resource
or communication device
(iii) [Section 66D] Punishment for cheating by personation by using computer resource
Question 13
• To block the access by the public or cause to be blocked for access by public any
information generated, transmitted, re ceived, stored or hosted in any computer
resource. site in the interest of sovereignty and integrity of India, defense of India,
security of the State, friendly relations with foreign states.
• Subscriber should assist authorized person, if fails subscriber will be liable for
punishment
Question 14
E plai the Po e to autho ize to o ito a d olle t t affi data o i fo atio th ough
any computer esou e fo C e “e u it ith efe e e to “e tio B of the
Information Technology Act 2000.
(1) Monitor and collect traffic data or information generated, transmitted, received or
stored in any computer resource.
(3) Subscriber should assist authorized person, if fails subscriber will be liable for
punishment.
Question 15
Question 16
Question 17
Question 18
Question 19
Question 20
Question 21
HATKE QUESTIONS
Question 1
Discuss the main provisions provided in Information Technology Act 2000 to facilitate e-
Governance.(ISCA class notes Pg.no-283 &284)
E-Governance sections of chapter III 6, 7 and 8 are the main sections for provisions
related to e-Governance provided in Information Technology Act 2000 to facilitate e-
governance.
Question 2
What is the vision of National Cyber Security Policy 2013? Also explain its major
objectives (ISCA class notes Pg.no-305)
Vision of the National Cyber Security Policy 2013 is: To uild a se ure a d
resilie t y erspa e for itize s, usi ess a d Go er e t a d the issio To protect
information and information infrastructure in cyberspace, build capabilities to prevent
and respond to cyber threats, reduce vulnerabilities and minimize damage from
cyber incidents through a combination of institutional structures, people processes,
te h ology a d ooperatio .
• To create an assurance framework for design of security policies and for promotion
and enabling actions for compliance to global security standards and best practices by
way of conformity assessment (product, process, technology, & people);
• To stre gthe the ‘egulatory fra e ork for ensuring a Secure Cyberspace ecosystem;
• To enhance and create National and Sectorial level 24*7 mechanisms for
obtaining strategic information regarding threats
• To improve visibility of the integrity of ICT products & services and establishing
infrastructure for testing & validation of security of such products;
• To provide fiscal benefits to businesses for adoption of standard security practices and
processes;
• To create a culture of cyber security and privacy enabling responsible user behavior
&actions through an effective communication and promotion strategy;
Question 1
(A)Briefly discuss the four phases of ISMS. (ISCA class notes Pg.no-308)
1) Plan Phase
2) Do Phase
3) Check Phase
4) Act Phase
2) Service Design
3) Service Transition
4) Service Operations
Question 2
(1) Subject to the provisions of this section any subscriber may authenticate an electronic
record by affixing his Digital Signature.
(2) The authentication of the electronic record shall be effected by the use of asymmetric
crypto system and hash function which envelop and transform the initial electronic
record into another electronic record.
Explanation -
For the purposes of this sub-section, "Hash function" means an algorithm mapping or
translation of one sequence of bits into another, generally smaller, set known as "Hash
Result" such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it
computationally infeasible
(a) to derive or reconstruct the original electronic record from the hash result produced
by the algorithm;
(b) that two electronic records can produce the same hash result using the algorithm. (3)
Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute
afunctioning key pair.
Emerging Technologies
MAIN QUESTIONS
Question 1
Question 2
Question 3
INDIA
Question 4
HATKE QUESTIONS
Question 1
Question 2
What is Cloud Computing? Explain some pertinent similarities and differences between
Cloud and Grid computing. (ISCA class notes Pg.no-314 &316)
Some pertinent similarities and differences between cloud and grid computing are
highlighted as follows:
• Cloud computing and grid computing both are scalable. Scalability is accomplished
through load balancing of application instances running separately on a variety of
operating systems and connected through Web services. CPU and network bandwidth is
allocated and de-allocated on demand. The system's storage capacity goes up and down
depending on the number of users, instances, and the amount of data transferred at a
given time.
• While the sto age o puti g i the g id is ell suited fo data-intensive storage, it is not
economically suited for storing objects as small as 1 byte. In a data grid, the amounts of
distributed data must be large for maximum benefit. While in cloud computing, we can
store an object as low as 1 byte and as large as 5 GB or even several terabytes.
Question 3
What is Green Computing? Discuss security issues of Green computing in brief.(ISCA class
notes Pg no-340)
If administered properly with other green computing technologies, green security can
be a cost-efficient
The basic aimis to i ease the usto e s e e g sa i gs th ough g ee se u it
services and assess that how sustainable computing technology can immediately help
the e i o e t.
Green IT services present many benefits for clients as well as providers, but knowing
ho to e aluate a lie t s i f ast u tu e to a o odate g ee te h olog is eall a
ital issue .
Moreover, apart from the common security issues, the green security emphasizes the
role of security tools, methods and practices that edu e a o pa se io e tal
impact.
1) Front end
2) Back end
1) Public
2) Private
3) Hybrid
1) IaaS
2) PaaS
3) SaaS
4) NaaS
5) CaaS
Question 2
AB QU CA
1) Confidentiality
2) Integrity
3) Availability
4) Governance
5) Trust
7) Privacy
8) Audit
9) Data Stealing
10) Architecture
(B) Explain, in brief, the challenges for Social Networks using Web 2.0.
2) Malicious users
4) Amenities
1) Cost
2) Impact
3) Standard
4) Security
Question 1
(a) What are the two primary methods through which the analyst would have collected
the data ?
(b) To retain their e-documents for specified period, what are the conditions laid down in
Section 7, Chapter III of Information Technology Act, 2000?
Answer
(a) Two primary methods through which the analyst would have collected the data are
given as follows:
(i) Reviewing Internal Documents: The analyst first tries to learn about the organization
i ol ed i o affe ted the p oje t. Fo e a ple, the su sidia s a ti ities ased o its
(b) Section 7, Chapter III of Information Technology Act, 2000 provides that the
documents, records or information which is to be retained for any specified period shall
be deemed to have been retained if the same is retained in the electronic form provided
the following conditions are satisfied:
(1) Where any law provides that documents, records or information shall be retained for
any specific period, then, that requirement shall be deemed to have been satisfied if such
documents, records or information are retained in the electronic form, –
subsequent reference;
(c) The details, which wil facilitate the identification of the origin, destination, date
and time of dispatch or receipt of such electronic record are available in the
E.g. Company may include clause in its contracts with customers that electronic
documents and correspondence will be considered valid; Electronic documents will have
to be preserved till the contract and all liabilities are discharged; Documents may be
digitally signed with hash values to assure that they have not been altered; All
correspondence with clients may be saved with dates of transmission / receipt; In case
the company changes / upgrades its email or other systems, the new system should be
able to read the old data and retain all data without change etc.
Question 2
(a) What are the types of operations into which the different office activities can be
broadly grouped under office automation systems?
(b) What is meant by Business Continuity Planning? Explain the areas covered by Business
Continuity.
Answer
(i) Document Capture: Documents originating from outside sources like incoming
mails from customers, enquiries, notes, handouts, charts, graphs etc. need to be
(ii) Document Creation: This consists of preparation of documents, editing of texts etc.
and takes up major part of the time of field personnel like salesmen.
(iv) Filling, Search, Retrieval and Follow-up: This is related to filling, indexing, searching of
documents, which takes up significant time. E.g. categorizing various types of documents
and cataloguing all documents under each type, assigning rights for access, retrieval
(v) Calculations: These include the usual calculator functions like routine arithmetic,
operations for bill passing, interest calculations, working out the percentages and the like.
keeping in respect of specific resources utilized by office personnel. All the activities
mentioned have been made very simple and effective by the use of computers. The
application of computers to handle the office activities is also termed as office
automation. Care should be taken to convert old documents which have not been created
in or stored in computers into usable electronic documents so that after the new system
is implemented, these old documents will still be accessible and business can continue as
usual. Office automation systems which are already in use by some departments must be
integrated with the new systems. For e-governance, the company must put in place a
definition of road map of how the systems will be implemented, monitored, measured
(b) Business Continuity Planning (BCP) is the creation and validation of a practical
logistical plan for how an organization will recover and restore partially or completely
interrupted critical functions within a predetermined time after a disaster or extended
disruption. The logistical plan is called a Business Continuity Plan. It is especially
important because the company is planning to embrace office automation in all aspects
of business. This will make it highly dependent on computer systems to run operations,
deal with customers, suppliers and other stakeholders etc. Planning is an activity to be
performed before the disaster occurs otherwise it would be too late to plan an effective
response. The resulting outage from such a disaster can have serious effects on the
viability of a firm's operations, profitability, quality of service, and convenience.
(i) Business Resumption Planning – The Operational piece of business continuity planning
to resume normal operations after a disaster.
(ii) Disaster Recovery Planning – The technological aspect of BCP, the advance planning
and preparation necessary to minimize losses and ensure continuity of critical business
functions of the organization in the event of a disaster. Planning which are minimal level
of operations which must be run, their priority and the sequence in which they need to be
brought up as well as taking steps to be prepared to deal with any emergency.
Question 3
(a) What do you mean by system requirement analysis? What are the activities to be
performed during system requirement analysis phase?
(b) What is the provision given in Information Technology Act 2000 for the retention of
electronic records?
Answer
(a) System requirements analysis is a phase, which includes a thorough and detailed
♦ To identify and consult the stake owners to determine their expectations and resolve
their conflicts e.g. what facilities the business owners require to gain competitive
advantage; whether for meeting 24x7 requirements documents should be accessible over
internet, whether customers and suppliers will also connect to the system;
♦ To analyze requirements to detect and correct conflicts and determine priorities; this
will include identifying the various documents which will need to be migrated to the new
system. In case the existing systems process transactions in a way different from the new
ERP, these differences must be resolved
♦ To gather data or find facts using tools like- interviewing, research/document collection,
questionnaires, observation;
(b) Retention of Electronic Records: [Section 7] of Information Technology Act 2000: The
provision for the retention of electronic records is discussed in Section 7 of IT Act 2000,
which is given as follows:
subsequent reference;
(b) the electronic record is retained in the format in which it was originally
(c) The details, which wil facilitate the identification of the origin, destination, date
and time of dispatch or receipt of such electronic record are available in the
electronic record.
E.g. Company may include clause in its contracts with customers that electronic
documents and correspondence will be considered valid; Electronic documents will have
to be preserved till the contract and all liabilities are discharged; Documents may be
digitally signed with hash values to assure that they have not been altered; All
correspondence with clients may be saved with dates of transmission / receipt; In case
the company changes / upgrades its email or other systems, the new system should be
able to read the old data and retain all data without change etc.
Question 4
ABC Technologies Ltd. deals with the software developments for various domains. The
company is following SDLC best practices for its different activities. For any software to be
developed, after possible solutions are identified, project feasibility i.e. the likelihood that
the system will be useful for the organization, is determined. After this, other stages of
(a) What is a feasibility study? Explain the dimensions under which the feasibility study of
a system is evaluated.
(b) For the development of software, various techniques/models are used e.g. waterfall,
incremental, spiral etc; in which, each has some strengths and some weaknesses.
Answer
(a) A feasibility study is carried out by system analysts, which refers to a process of
evaluating alternative systems through cost/benefit analysis so that the most feasible and
desirable system can be selected for development. The Feasibility Study of a system is
evaluated under following dimensions:
♦ Resources: Are human resources available to develop the solution or are they reluctant
to use it ?
♦ Behavioral: Is the solution going to bring any positive or adverse effect on quality of
work life?
♦ When utilizing a series of mini-waterfalls for a small part of the system before moving
onto the next increment, there is usually a lack of overall consideration of the business
problem and technical requirements for the overall system.
♦ Each phase of iteration is rigid and does not overlap each other.
♦ Problems may arise pertaining to system architecture because not all requirements are
gathered up front for the entire software life cycle.
♦ Since some modules will be completed much earlier than others, hence well-defined
interfaces are required.
All chapters
Q.no 1.
a)What are the major data integrity policies you would suggest ? (5)
b) What are the categories of tests that a programmer typically performs on a (5)
program unit ?
Q.no. 2
Briefly explain the relevant requirements with respect to annual systems audit
b) Discuss some of the pertinent objectives in order to achieve the goals of (6)
Cloud Computing.
c) As an IS auditor, what are the risks reviewed by you relating to IT systems (4)
Q.no. 3
reports etc. Briefly discuss some of the IT tools crucial for business growth.
M . X has ope ed a e depa t e tal sto e and all activities are (6)
computerized. He uses Personal Computers (PCs) for carrying out the business
activities. As an IS auditor, lists the risks related to the use of PCs in the business
them.
Governance.
Q. no. 4
b) You are appointed by a leading enterprise to assess and to evaluate its (6)
Q.no.5
b) What do you mean by Expert System? Briefly explain some of the (6)
system development.
challenging with the use of computers to the auditors. What are the issues which
audit?
b) Define the Agile model of software development and discuss its strengths. (6)
Q.no.7
d) Types of Backups
e) Design of database
All chapters
Q.no 1.
PQR University is a public university; especially known for its Faculty of Commerce and
Management in the country. The faculty offers various UG and PG programs along with
research studies viz. M. Phil and Ph.D. Recently, the Academic Council of the university
approved the proposal of the faculty to start some UG and PG courses in distance
learning mode too. It is observed that the students of distance education are normally
dependent on self-study only along with a little support from the concerned
department/s. In view of this aforementioned fact, the concerned Dean of the faculty
decided to launch a web based Knowledge Portal to facilitate the students of different
courses. It is proposed to upload the Study Materials, e-lectures, Suggested Answers of
last examinations, Mock Test Papers relevant for the coming examinations etc. of the
approved courses on this Knowledge Portal. It is expected that the portal will be very
useful for the students as it aims to provide the access of various academic resources on
anytime anywhere basis. For the implementation of this project, a technical consultant
was appointed by the university. Accordingly, an initial feasibility study under various
dimensions was done and a detailed report was submitted. As a next step, as per the
recommendations of the consultant, an expression of interest was published by the
University in various national/regional newspapers inviting various organizations to
showcase their capabilities and suggest a good solution as per the requirements of the
concerned faculty of the university.
attributes, which attribute will be having the highest priority while developing
(b) What may be the possible dimensions under which the feasibility study (5)
(d) What are the two primary methods through which the analyst would (5)
Q.no. 2
a) What are the factors that influence an organization towards controls (6)
of computers?
Q.no. 3
Q. no. 4
a)Briefly explain requirements of IRDA for System Controls & Audit. (6)
Q.no.5
principles in brief.
governance in an organization.
Q. no. 6
a) Functions of IS Auditor
b) Role of IT in enterprises
c) Audit Hook
e) Unit Testing
All chapters
Q.no 1.
ABC Technologies Ltd. is in the development of web applications for various domains. For
the development purposes, the company is committed to follow the best practices
suggested by SDLC. A system development methodology is a formalized, standardized,
documented set of activities used to manage a system development project. It refers to
the framework that is used to structure, plan and control the process of developing an
information system. Each of the available methodologies is best suited to specific kinds of
projects, based on various technical, organizational, project and team considerations.
(d) What do you mean by system requirement analysis? What are the activities (5)
Q.no. 2
Q.no. 3
c) What do you understand by GEIT? Also explain any three benefits of GEIT. (4)
Q. no. 4
b)Discuss the key management practices, which are required for aligning IT (6)
Q.no.5
audit techniques.
b) What is waterfall model of system development? Also discuss its major (6)
strengths.
Q.no.7
a) Processing Controls
c) Threats of BYOD
d) Types of Plans
e) Data Dictionary
All chapters
Q.no 1.
ABC Group of Industries is in the process of launching a new business unit, ABC
Consultants Ltd. to provide various consultancy services to the organizations worldwide,
to assist them in the computerization of their business modules. It involves a number of
activities starting from capturing of requirements to maintenance. Business continuity
and disaster recovery planning are two key activities in this entire process, which must be
taken care of right from the beginning. Business continuity focuses on maintaining the
operations of an organization, especially the IT infrastructure in face of a threat that has
materialized. Disaster recovery, on the other hand, arises mostly when business
continuity plan fails to maintain operations and there is a service disruption. This plan
focuses on restarting the operations using a prioritized resumption list.
(a) What are the issues, which are emphasized by the methodology for (5)
(b) Explain the objectives of performing Business Continuity Planning tests. (5)
(c) What are the issues, written in a contract that should be ensured by security (5)
(d) What is meant by Business Continuity Planning? Explain the areas covered (5)
Q.no. 2
b) An important task for the auditor as a part of his/her preliminary evaluation is to gain a good
understanding of the technology environment and related control issues. Explain major aspects
that should be considered in this exercise. (6)
Q.no. 3
a) What is the vision of National Cyber Security Policy 2013? Also explain its major objectives.
(6)
b) Discuss the Benefits and Challenges for Social Networks using Web 2.0. (6)
c) Discuss various types of Information Security polices and their hierarchy. (4)
Q. no. 4
a)Discuss Integrated Test Facility (ITF) technique of continuous audit in detail (6)
c)While developing a Business Continuity Plan, what are the key tasks that should be covered
Q.no.5
The success of the process of ensuring business value from use of IT? (6)
can be measured by evaluating the benefits realized from IT enabled investments and
services portfolio and how transparency of IT costs, benefits and risk is i ple e ted .
Explain some of the key metrics, which can be used for such evaluation
c) Briefly explain Auditor Selection Norms with reference to the requirements of SEBI for (4)
Q.no.6
b) What do you understand by TPS? Explain basic features of a TPS in brief. (6)
c) Briefly explain major update controls with reference to database controls in brief. (4)
Q.no.7
b) Trojan Horse
c) System Testing
All chapters
Q.no 1.
ABC Ltd. is a company dealing in various computer hardware items through its various
offices in India and abroad. By recognizing the advantages of connectivity through
internet, recently, the company decided to sell its products in on-line mode also to
fa ilitate its usto e s o ld ide. Fo de elop e t of the o pa s e appli atio s,
the company appointed a technical consultant initially for one year to work on behalf of
the company to take the matter forward. The consultant called various meetings of
different stakeholders and decided to follow the best practices of SDLC for its different
phases. In the current vulnerable world, keeping the importance of information security
in view particularly, he further suggested to consider the security issues from the
inception itself i.e. starting from the requirements analysis phase till maintenance.
Accordingly, efficient ways were also explored to achieve the goals especially for security.
Research Studies reveal that cost and efforts may be reduced up to a considerable level
by incorporating security from the beginning in the SDLC. Read the above carefully and
answer the following:
(a) What is SDLC? Explain the key activities performed in the Requirements Analysis
phase. (5)
(b) Agile methodology is one of the popular approaches of system development. What
are the weaknesses of this methodology in your opinion? (5)
(c) What are the two primary methods through which the analyst would have collected
(d) State and briefly explain the stages of System Development Life Cycle (SDLC). (5)
Q.no. 2
a) What are the major aspects that should be thoroughly examined by an IS Auditor during the
b) Briefly explain Prototyping approach. Also discuss major weaknesses of Prototyping model.
(6)
c) Discuss the maintenance tasks undertaken in the development of a BCP in brief. (4)
Q.no. 3
b) Discuss some of the sample metrics for reviewing the process of evaluating and
assessing compliance with external laws & regulations and IT compliances with internal
policies. (6)
Q. no. 4
a) Write a short note on major activities that should be carried out in implementation. (6)
b)What is Decision Support System (DSS)? Explain the key characteristics of a DSS in brief. (6)
b) The Information Security Policy of an organization has been defined and documented as
given below:
Discuss Information Security Policy and also identify the salient components that have not been
covered in the above policy (6)
c)Discuss key management practices, which are needed to be implemented for evaluating
hethe usi ess alue is de i ed f o IT i a o ga izatio . (6)
Q. no. 6
Q.no.7
a) Risk Assessment
All chapters
Q.no 1.
a) What are the major data integrity policies you would suggest ? (5)
b) What are the categories of tests that a programmer typically performs on a program unit ?
d) What are your recommendations for efficient use of computer and IT resource to
a hie e the o je ti es of G ee Co puti g ? (5)
Q.no. 2
a) ABC Ltd. is a security market intermediary, providing depository services. Briefly explain the
relevant requirements with respect to annual systems audit mandated by SEBI in this regard.
b) Discuss some of the pertinent objectives in order to achieve the goals of Cloud Computing.
c) As an IS auditor, what are the risks reviewed by you relating to IT systems and processes as
Q.no. 3
a) Modern business uses Information Technology to carry out basic functions including
systems for sales, advertisement, purchase, management reports etc. Briefly discuss
some of the IT tools crucial for business growth.
M . X has ope ed a e depa t e tal sto e and all activities are computerized. He
uses Personal Computers (PCs) for carrying out the business activities. As an IS auditor,
lists the risks related to the use of PCs in the business of M . X a d suggest a t o
security measures to be exercised to overcome them.
Q. no. 4
a) As an IS auditor, what are the output controls required to be reviewed with respect to
application controls?
b) You are appointed by a leading enterprise to assess and to evaluate its system of IT internal
controls. What are the key management practices to be followed to carry out the
assignment complying with COBIT 5? (6)
c) Discuss briefly, the four phases of Information Security Management System (ISMS)
Q.no.5
a) While doing audit or self assessment of the BCM Program of an enterprise, briefly describe
b) What do you mean by Expert System? Briefly explain some of the properties that potential
Q. no. 6
a) Compared to traditional audit, evidence collection has become more challenging with the
use of computers to the auditors. What are the issues which affect evidence collection
and understanding the reliability of controls in financial audit? (6)
b) Define the Agile model of software development and discuss its strengths. (6)
d) Types of Backups
e) Design of database
All chapters
Q.no 1.
(a) What are three major attributes of information security? Out of these attributes, which
attribute will be having the highest priority while developing web based knowledge
portal? (5)
(b) What may be the possible dimensions under which the feasibility study of the proposed
(c) What may be the major validation methods fo alidati g the e do s proposal for developing
the Knowledge Portal? (5)
(d) What are the two primary methods through which the analyst would have collected the data
Q.no. 2
a) What are the factors that influence an organization towards controls of computers? (6)
c) Discuss the main provisions provided in Information Technology Act 2000 to facilitate e-
Governance. (4)
Q.no. 3
Q. no. 4
a) Briefly explain requirements of IRDA for System Controls & Audit. (6)
Q.no.5
b) Write short note on Physical Security with reference to Computer Centre Security and Controls.
c) Describe the major benefits achieved through proper governance in an organization. (4)
Q. no. 6
b) What is incremental model of system development? Also discuss its major strengths. (6)
Q.no.7
All chapters
Q.no 1.
Wate fall app oa h is o e of the popula app oa hes fo s stem de elop e t . E plai the
(d) What do you mean by system requirement analysis? What are the activities to be performed
Q.no. 2
Q.no. 3
b) What do you understand by SCARF technique? Explain various types of information collected
c) What do you understand by GEIT? Also explain any three benefits of GEIT. (4)
Q. no. 4
b) Discuss the key management practices, which are required for aligning IT strategy
Q.no.5
Q. no. 6
b) Discuss the key characteristics of Waterfall Model in brief. Also explain its major weaknesses.
c) Explain the objectives of performing BCP tests while developing a business continuity plan.
Q.no.7
a) Processing Controls
c) Threats of BYOD
e) Data Dictionary
All chapters
Q.no 1.
(a) What are the issues, which are emphasized by the methodology for developing a business
(b) Explain the objectives of performing Business Continuity Planning tests. (5)
(c) What are the issues, written in a contract that should be ensured by security administrators
(d) What is meant by Business Continuity Planning? Explain the areas covered by Business
Continuity (5)
Q.no. 2
Q.no. 3
a) What is the vision of National Cyber Security Policy 2013? Also explain its major objectives.
b) Discuss the Benefits and Challenges for Social Networks using Web 2.0. (6)
c) Discuss various types of Information Security polices and their hierarchy. (4)
Q. no. 4
a) Discuss Integrated Test Facility (ITF) technique of continuous audit in detail. (6)
c) While developing a Business Continuity Plan, what are the key tasks that should be covered
The su ess of the p o ess of e su i g usi ess value from use of IT can be measured by
evaluating the benefits realized from IT enabled investments and services portfolio and
how transparency of IT costs, benefits and risk is i ple e ted . E plai so e of the ke
metrics, which can be used for such evaluation (6)
c) Briefly explain Auditor Selection Norms with reference to the requirements of SEBI for
System Controls & Audit. (4)
(ISCA class notes Pg no-303)
Q.no.6
b) What do you understand by TPS? Explain basic features of a TPS in brief. (6)
(ISCA class notes Pg no-63)
c) Briefly explain major update controls with reference to database controls in brief.
Q.no.7
All chapters
Q.no 1.
(a) What is SDLC? Explain the key activities performed in the Requirements Analysis
phase. (5)
(b) Agile methodology is one of the popular approaches of system development. What
are the weaknesses of this methodology in your opinion? (5)
(c) What are the two primary methods through which the analyst would have collected the data ?
(d) State and briefly explain the stages of System Development Life Cycle (SDLC).
Q.no. 2
a) What are the major aspects that should be thoroughly examined by an IS Auditor during the
b) Briefly explain Prototyping approach. Also discuss major weaknesses of Prototyping model.
Q.no. 3
b) Discuss some of the sample metrics for reviewing the process of evaluating and
assessing compliance with external laws & regulations and IT compliances with internal
policies. (6)
Q. no. 4
a) Write a short note on major activities that should be carried out in implementation. (6)
b) What do you mean by TPS? Explain basic features of a TPS in brief. (6)
b) The Information Security Policy of an organization has been defined and documented as
given below:
Discuss Information Security Policy and also identify the salient components that have not
been covered in the above policy (6)
Q. no. 6
Q.no.7
a) Risk Assessment
d) Detective Controls