1. (TCO 3) Which of the following preventive controls are necessary to provide a
ID: 2386367 • Letter: 1
Question
1. (TCO 3) Which of the following preventive controls are necessary to provide adequate security for social engineering threats? (Points : 2)Controlling remote access
Encryption
Host and application hardening
Awareness training
2. (TCO 3) Multi-factor authentication (Points : 2)
Involves the use of two or more basic authentication methods.
Is a table specifying which portions of the systems users are permitted to access.
Provides weaker authentication than the use of effective passwords.
Requires the use of more than one effective password.
3.
(TCO 3) The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as
(Points : 2)
availability.
security.
maintainability.
integrity.
4. (TCO 3) Which of the following is not one of the 10 internationally recognized best practices for protecting the privacy of customers' personal information? (Points : 2)
Access.
Monitoring and enforcement.
Registration.
Security.
5. (TCO 3) With which stage in the auditing process are the consideration of risk factors and materiality most associated? (Points : 2)
audit planning
collection of audit evidence
communication of audit results
evaluation of audit evidence
6. (TCO 3) Identify six physical access controls. (Points : 5)
7. (TCO 3) Explain why the auditor's role in program development and acquisition should be limited. (Points : 5)
Explanation / Answer
1. Encryption 2. Is a table specifying which portions of the systems users are permitted to access. 3. security. 4. Access. 5. audit planning 6. (TCO 3) Identify six physical access controls. (Points : 5) Unauthorized or Unidentified Persons Deliveries Visitors Access Device Dormitory Facilities. Employees 7. (TCO 3) Explain why the auditor's role in program development and acquisition should be limited. (Points : 5) There is a global concern that many IT development projects fail or are completed with substantial budget overrun or scope reduction. The failure rate and challenged (launched over budget, over schedule and with fewer functions) rate of larger IT development projects are alarming—72 percent in the US alone. 1 The impact of project failure does not stop at loss of investment and budget overrun. It also adversely affects investors' confidence. As reported in the Harvard Business Review,2 when Oxford Health Plans declared in October 1997 that its complex computer system for processing claims and payments (the project lasted more than five years) was not producing results, the company's stock price dropped 63 percent, destroying more than US $3 billion in shareholder value within a single day. Former ISACA International President Deepak Sarup3 has covered the issue of why projects fail with management ignoring obvious warning signs. To avoid runaway projects, Sarup suggests the following solutions: Establish an early warning system. Recognize the role of the exit champion. Focus on the quality of the decision rather than the outcome. Schedule regular, independent reviews of every major project. Provide for fail-safe options. These suggestions indicate that the key to success in IT development projects is effective monitoring of controls applied by senior management and project management. The success stories of IT development projects support this observation. The chief information officer (CIO) at Mercy Health Partners4 in Ohio, Jim Albin, shared his success story of managing a project portfolio using the "buy, sell or hold" approach, a merit evaluation process where the project is evaluated for its merit in meeting goals and objectives (interim merit reviews). Another successful monitoring technique used by management is extreme project management,5 which forces project managers to leave technology discussions and development of solutions to the technical team, while the managers deal with external stakeholders and the management and monitoring aspects of the project. In monitoring and completing a project successfully, the auditor also has a significant role. The Auditor's Role Traditionally, the auditor's role is to evaluate whether adequate controls within the project management and business processes are incorporated and validate the effectiveness of those controls. In other words, the auditor's primary objective of auditing IT development projects is two-fold: Safeguard capital investments. Auditors should evaluate controls within the project management processes and proactively make recommendations to mitigate risks that may hinder achieving project objectives and goals. Proactively recommend internal controls. Auditors should ensure that adequate controls are incorporated during the development phases of business and system processes before they are introduced to the business operation. Audit Process As a preparatory step, the auditor needs to understand the overall framework of the IT development processes. Figure 3 depicts the detailed activities within a large IT development and delivery project, including the overall project governing structure. This framework covers three pillars of IT development and delivery processes: program oversight, project management and system development life cycle (SDLC). Many organizations combine these three pillars into one or two pillars. The two-pillar model is the most common, where project management and the system development process (SDLC) are combined into one pillar, with program oversight set at the corporate level. Control 1—Dedicated Management Functions Many project failures are due to the behavioral issue of not addressing the problems on time or, in Sarup's terms, "ignoring the warnings." Without dedicated duties and responsibilities, there is no accountability. Therefore, dedicated functions for the three key areas (depicted in Figure 3) are an effective control (appropriate responsibility and accountability of the IT development and delivery processes). The auditor should make certain that there is an effective framework in place to ensure appropriate commitment and accountability from all involved parties. This includes behavioral issues and the quality of the decision making. Control 2—Extreme Project Management The framework should adequately facilitate the extreme project management technique. While the project manager is accountable to the stakeholders, the IT leaders engaged in the project keep the end users satisfied. This framework forces the project to be completed to the end users' and stakeholders' satisfaction. The auditor's role here is to validate whether this project management structure is in place and functioning effectively. Control 3—Interim Merit Reviews The framework should also cover the investment portfolio decision-making processes for project selection, prioritization and completion. Figure 3 provides suggested interim review points under each segment of the IT development and delivery process. They provide sufficient information to substantiate a reliable decision. As an example, at the functional design stage, technical information on data volume and process frequency needs to be gathered to assure the completeness of the design. This provides the assurance of whether such functionality can be feasibly built into the project budget. The auditor's role is to assess whether the interim reviews are performed with adequate and reliable information and whether the decisions are made on the merits of the project rather than the outcome. Control 4—Scope Reduction If a project requires a significant scope change, an alarm should be raised. Scope reduction must have the sponsor's and senior management's approval based on qualitative information. On too many occasions, the scope reduction does Control 5—Fail-safe Approach A fail-safe approach is an effective control for any large project. This approach forces the project to be broken down into manageable phases, so that if problems occur, a particular phase can be rolled back or modified without jeopardizing the whole project. Auditors need to emphasize the importance of backup and contingency planning from the initial stages of the project. Many project managers focus on recovery plans only at the end of the project. If the capabilities of the system are released in logical phases, the project is manageable and fail-safe, and the sponsors and end users are comfortable accepting the system delivered. Control 6—Business Engagement Joint engagement of the IT staff and end users in the project is another key control. For example, in the Juniper Networks Inc. case, CIO Kim Perdikou stated that they were six months into developing a browser-based, self-service customer system when IT and customer service managers realized that the system was not meeting the company's needs.6 The business unit leaders agreed to terminate the whole project. It is important to engage business staff to understand the system and the new functionalities required by the business. The auditor needs to identify adequate business staff engagement in the project as an effective control, rather than relying only on user acceptance testing (UAT), which is completed at a later stage of the project.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.