3 primary security features of relational databases: (1.) Access controls (2.) Encryption (3.) Audit logging ------------------------------------ The categories categories of ris! treatment treatment are: (1.) A"oidance (2.) Transfer (3.) #itigation (.) Acceptance ------------------------------------ The -item focus of a $alanced %corecard %corecard is: (1.) &inancial (2.) 'ustomer (3.) nternal processes (.) nno"ation *earning ------------------------------------ The + types of ris!s that are are related to audits include: include: (1.) 'ontrol ,is! (2.) etection ,is! (3.) nherent ris! (.) "erall audit ris! (+.) %ampling ris! ------------------------------------ The / phases and their order order in the %*' %*' are: (1.) &easibility (2.) ,e0uirements (3.) esign (.) e"elopment (+.) Testing (.) mplementation (/.) ost-implementation ost-implementation ------------------------------------An Administrati"e audit is: An audit of operational eciency. ------------------------------------An alternate processing center that contains no application ser"ers is !no4s as a: A 'old %ite contains no information processing e0uipment ------------------------------------Annuali5ed *oss E6pectance (A*E) is de7ned as: A*E is the annual e6pected loss to an asset. t is calculated as the single loss e6pectancy (%*E) 8 the annuali5ed rate of occurrence (A,.) ------------------------------------Application 'ontrols: handle application processing ------------------------------------Application controls limit information systems access in 4hat three 4ays9 (1.) oint of Entry (nput 'ontrols) (2.) uring consumption (process controls) (3.) At the point of e6pression (utput 'ontrols) ------------------------------------Application *ayer protocols: protocols:
(1.) tility (;%< %;#< =' (2.) #essaging protocols (%#T) (3.) ata Transfer protocols (;&%< &T) (.) nteracti"e protocols (Telnet) ------------------------------------Attribute %ampling means: A sampling techni0ue used to study the characteristics of a population to determine ho4 many samples possess a speci7c characteristic. ------------------------------------Audit #ethodologies de7ne 4hat 1> elements of an Audit9 (1.) %ub?ect of audit (2.) Audit b?ecti"e (3.) Type of audit (.) Audit scope (+.) re-audit planning (.) Audit procedures (/.) 'ommunication plan (@.) ,eport reparation (.) Brap-up (1>.) ostaudit follo4-up ------------------------------------An auditor has detected potential fraud 4hile testing a control control ob?ecti"e. Bhat should the auditor do ne6t9 ;otify the Audit 'ommittee. $ecause Audit committee members are generally not in"ol"ed in business operations< operations< they 4ill be suciently remo"e from the matter< and they 4ill ha"e the authority to in"ol"e others as needed. ------------------------------------An auditor has disco"ered se"eral errors in user account management: many terminated employeesC computer accounts are still acti"e. Bhat is the best course of action9 To To impro"e impro"e the employee termination termination process process to reduce reduce the number number of e6ceptions. e6ceptions. &or &or a time< the process should be audited more fre0uently to ma!e sure that impro"ement is eDecti"e. ------------------------------------An auditor has disco"ered that se"eral administrators in an application share an administrati"e account. Bhat course of action should the auditor recommend9 %e"eral separate administrati"e accounts should be used. This 4ill enforce accountability accountability for each administratorCs actions. ------------------------------------An auditor has re"ie4ed access pri"ileges of some employees and has disco"ered that employees 4ith longer terms of ser"ice ha"e e6cessi"e pri"ileges. Bhat can the auditor conclude from this9 ser pri"ileges are not being remo"ed from their old position 4hen they transfer to a ne4 position. This results in employees 4ith e6cessi"e pri"ileges. ------------------------------------An auditor is e6amining a !ey management process and has found that the T department is not follo4ing its split-custody procedure. Bhat is the li!ely result of this failure9 %omeone may be in possession of the entire pass4ord for an encryption !ey. &or instance< split custody re0uires that a pass4ord be bro!en into t4o or more parts< 4ith each part in the possession of a separate person.
------------------------------------ The audit program is an audit strategy and plans that include: (1.) %cope (2.) b?ecti"es (3.) ,esources (.) rocedures used to e"aluation controls and processes ------------------------------------An audit report usually includes the follo4ing 1> elements: (1.) 'o"er letter (2.) ntroduction (3.) %ummary (.) Audit description (+.) *ist of systems e6amined (.) nter"ie4ees (/.) E"idence (@.) E6planation of sampling techni0ues (.) &indings (1>.) ,ecommendations ------------------------------------ The a"ailability of T systems is go"erned by: (1.) EDecti"e 'hange #anagement (2.) EDecti"e Application Testing (3.) ,esilient Architecture (.) %er"iceable 'omponents ------------------------------------$' lans must be tested to "alidate eDecti"eness through: (1.) ocument ,e"ie4 (2.) Bal!through (3.) %imulation (.) arallel testing (+.) 'uto"er testing practices ------------------------------------ The $' process encompasses a lifecycle: (1.) e"elop a $' olicy (2.) 'onduct $A (3.) erform critical analysis (.) Establish reco"ery targets (+.) e"elop reco"ery and continuity strategies and plans (.) Test reco"ery and continuity plans and procedures Train personnel #aintain strategies< plans< and procedures through periodic re"ie4s and updates ------------------------------------$lade 'omputer Architecture: consists of main chassis component that is e0uipped 4ith slots are 7tted 4ith indi"idual cpu modules. #ain ad"antage is lo4er cost per unit. ------------------------------------$usiness 'ontinuity focuses on: maintaining ser"ice a"ailability 4ith the least disruption to standard operating parameters during an e"ent ------------------------------------ The $usiness rocess *ife 'ycle aids in the coordinating of business processes using a se0uence of 4hat three e"ents9 (1.) $usiness process creation (2.) mplementation (3.) #aintenance 3a. $enchmar!ing: &acilitates continuous impro"ement 4ithin the $*' ------------------------------------'hange #anagement includes a formal 4aterfall of si6 steps:
(1.) roposal or ,e0uest (2.) ,e"ie4 (3.) Appro"al (.) mplementation (+.) eri7cation (.) ostchange ,e"ie4 ------------------------------------'loud computing is: a dynamically scalable and usually "irtuali5ed computing en"ironment that is pro"ided as a ser"ice. 'lout computing ser"ices may be rented or leased so that an organi5ation can ha"e a scalable application 4ithout the need for supporting hard4are. ------------------------------------ The '$T &rame4or! is composed of si6 elements: (1.) E6ecuti"e %ummary (2.) Fo"ernance and control frame4or! (3.) 'ontrol b?ecti"es (.) #anagement Fuidelines (+.) mplementation Fuide (.) T Assurance Fuide ------------------------------------A collection of ser"ers that is designed to operate as a single logical ser"er is !no4n as a: A ser"er cluster is a collection of t4o or more ser"ers that is designed to appear as a single ser"er. ------------------------------------A 'ompliance audit is: An audit to determine the le"el and degree of compliance to a la4< regulation< standard< contract pro"ision< or internal control. ------------------------------------A computer uses ,A# for se"eral purposes: (1.) perating %ystem< to store info re running processes (2.) $uDers< that are used to temporarily store information retrie"ed from hard dis!s (3.) %torage of program code (.) %torage of program "ariables ------------------------------------'on7dence coecient means 4hat9 The probability that a sample selected actually represents the entire population. This is usually e6pressed as a percentage. ------------------------------------';&F,AT; #A;AFE#E;T de7nition: The process of recording the con7guration of T systems. Each con7guration setting is !no4n in T%# parlance as a 'on7guration tem. ------------------------------------'ontrol ,is! means: The ris! that a material error e6ists that 4ill not be pre"ented or detected by the organi5ationCs control frame4or!. -------------------------------------
'ontrols are: The means by 4hich management establishes and measures processes by 4hich organi5ational ob?ecti"es are achie"ed ------------------------------------'% ('ommittee of %ponsoring rgani5ations of the Tread4ay 'ommission): e7nes internal controls and pro"ides guidance for assessing and impro"ing internal control systems. ------------------------------------ The '% cube consists of T=,EE dimensions: (1.) b?ecti"es (2.) 'omponents (3.) $usiness nits Areas ------------------------------------'% frame4or! is composed of &our olumes: (1.) E6ecuti"e %ummary (2.) &rame4or! (3.) ,eporting to E6ternal arties (.) E"aluation Tools ------------------------------------ The '% pyramid consists of four elements: (1.) #onitoring (2.) 'ontrol En"ironment (3.) ,is! Assessment and 'ontrol (.) nformation and 'ommunication ------------------------------------ The ' has: (1.) Arithmetic *ogic nit (2.) 'ontrol nit (3.) a small amount of memory (usually in to form of registers) ------------------------------------ The ' is: the main hard4are component of a computer system< 4hich e6ecutes instructions in computer programs. ------------------------------------A critical application is bac!ed up once per day. The reco"ery point ob?ecti"e for this system: The , for an application that is bac!ed up once per day cannot be less than 2 hours ------------------------------------A database administrator has been as!ed to con7gure a database management system so that it records all changes made by users. Bhat should the $A implement9 The $A should implement audit logging. This 4ill cause the database to record e"ery change that is made to it. ------------------------------------A database primary !ey is: one of a database tableCs 7elds< 4hose "alue is uni0ue.
------------------------------------ata *in! *ayer %tandards: (1.) *A; protocols (2.) @> (2.) 11 #A'**' (Bi&i) (3.) 'ommon 'arrier pac!et net4or!s (.) A, (+.) and %* (.) Tunneling - T< *2T ------------------------------------eming 'ycle - a four-step 0uality control process !no4n as %A< or 'A. %teps: (1.) lan (2.) o (3.) %tudy (.) Act ------------------------------------escribe the ad"antages of outsourcing. utsourcing is an opportunity for the organi5ation to focus on core competencies. Bhen an organi5ation oursources a business function< it no longer needs to be concerned about training employees in that function. utsources does not al4ays reduce costs< because cost reduction is not al4ays the primary goal of oursourcing. ------------------------------------etection ,is! means: The ris! that an % auditor 4ill o"erloo! errors or e6ceptions during an audit. ------------------------------------isaster ,eco"ery focuses on: post-e"ent reco"ery and restoration of ser"ices ------------------------------------isasters are generally grouped in terms of type: (1.) #an-made (2.) ;atural ------------------------------------isco"ery %ampling means: A sampling techni0ue 4here at least one e6ception is sought in a population ------------------------------------uring an audit< the auditor should obtain 4hat types of documents9 (1.) rg charts (2.) epartment 'harters (3.) third-party contracts (.) policies and procedures (+.) standards (.) system documentation ------------------------------------E#E,FE;'G '=A;FE% should include steps: (1.) Emergency Appro"al (2.) mplementation (3.) eri7cation (.) ,e"ie4 ------------------------------------E6amples of Application 'ontrols:
(1.) Authentication (2.) Authori5ation (3.) 'hange #anagement (.) 'ompleteness chec!s (+.) alidation chec!s (.) nput controls (/.) utput controls (@.) roblem management (.) denti7cationaccess controls ------------------------------------E6amples of T Feneral 'ontrols: (1.) Access 'ontrol (2.) 'hange #anagement (3.) %ecurity 'ontrols (.) ncident #anagement (+.) %*' (.) %ource code and "ersioning controls (/.) #onitoring and logging (@.) E"ent #anagement ------------------------------------E6pected Error ,ate means: An estimate that e6presses the percent of errors or e6ceptions that may e6ist in an entire population ------------------------------------E6ternal auditors are needed under 4hat conditions9 (1.) Bhen the organi5ation lac!s speci7c e6pertise or resources to conduct an internal audit. (2.) %ome regulations and standards re0uire e6ternal< independent auditors ------------------------------------An e6ternal % auditor has disco"ered a segregation of duties issue in a high "alue process. Bhat is the best action for the auditor to ta!e9 The e6ternal auditor can only document the 7nding in the audit report. An e6ternal auditor is not in a position to implement controls. ------------------------------------&eatures of T' Transport *ayer pac!et deli"ery (1.) ,eliable deli"ery (2.) 'onnection oriented (persistent connection) (3.) rder of eli"ery (.) &lo4 'ontrol (transfer rate is throttled) (+.) ort ;umber ------------------------------------A &inancial Audit is: An audit of an accounting system< accounting department processes< and procedures to determine if business controls are sucient to ensure the integrity of 7nancial statements. ------------------------------------A 7re sprin!ler system has 4ater in its pipes< and sprin!ler heads emit 4ater only if the ambient temperature reaches 22> deg. &. Bhat type of system is this9 A 4et pipe 7re sprin!ler system. The system is charged 4ith 4ater and 4ill discharge 4ater out of any sprin!ler head 4hose fuse has reached a preset temperature. ------------------------------------A &oreign Hey is: a 7eld in a record in one table that can reference a primary !ey in another table that can reference a primary !ey in another table.
------------------------------------A &orensic Audit means: An audit that is performed in support of an anticipated or acti"e legal proceeding. ------------------------------------ The foundation of an eDecti"e information security program is an information security policy that includes: (1.) E6ecuti"e %upport (2.) Bell-de7ned roles and responsibilities. ------------------------------------ The &our typical 'on7guration tems in 'on7guration #anagement include: (1.) =ard4are 'omplement (physical speci7cations) (2.) =ard4are 'on7guration (7rm4are settings) (3.) perating system "ersion and con7guration (.) %oft4are "ersions and con7guration ------------------------------------&rame4or!s are: 'ollections of 'ontrols that 4or! together to achie"e an entire range of an organi5ationCs ob?ecti"es. ------------------------------------Fantt %. E,T Fantt: used to display resource details. E,T: sho4s the current and most up-to-date critical path ------------------------------------Feneral 'ontrols: %upport the functioning of the application controls ------------------------------------Frid 'omputing is: a large number of loosely coupled computers that are used to sol"e a common tas! may be in close pro6imity to each other or scattered o"er a large geographical area. ------------------------------------ncident #anagement - any e"ent 4hich is not part of the standard operation of ser"ice and 4hich causes or may cause an interruption to or reduction in 0uality of that ser"ice. ncludes T=,EE incident types: (1.) %er"ice utage (2.) %er"ice %lo4do4n (3.) %oft4are $ug ------------------------------------ndi"idual e"ents may often create combined threats to enterprise operations: A tornado might also spa4n structural 7res and transportation accidents ------------------------------------nherent ,is! means:
The ris! that there are material 4ea!nesses in e6isting business processes and no compensating controls to detect or pre"ent them ------------------------------------n ,elease #anagement< utili5ing a gate process means: A gate process means that each step of the release process undergoes formal re"ie4 and appro"al before the ne6t step is allo4ed to begin. ------------------------------------An ntegrated Audit is: An audit that combines an operational audit and a 7nancial audit. ------------------------------------an % audit is: An audit of an % departmentCs operations and systems. ------------------------------------An % auditor has disco"ered a high-ris! e6ception during control testing. Bhat is the best course of action for the % auditor to ta!e9 The % auditor should immediately inform the auditee 4hen any high-ris! situation is disco"ered. ------------------------------------An % auditor is auditing the change management process for a 7nancial application. The auditor has t4o primary pieces of e"idence: change logs and a 4ritten analysis of the change logs performed by a business analyst. Bhich e"idence is best and 4hy9 The change log is best because it is ob?ecti"e and unbiased. ------------------------------------An % auditor is e6amining the T standards document for an organi5ation that 4as last re"ie4ed t4o years earlier. The best course of action for the % auditor is: ,eport that the T standards are not being re"ie4ed often enough. T4o years is far too long bet4een re"ie4s of T standards. ------------------------------------An % auditor needs to perform an audit of a 7nancial system and needs to trace indi"idual transactions through the system. Bhat type of testing should the auditor perform9 %ubstanti"e Testing< 4hich is a test of transaction integrity. ------------------------------------% auditors can stay current 4ith technology through the follo4ing means: (1.) training courses (2.) 4ebinars (3.) %A'A chapter training e"ents (.) ndustry conferences ------------------------------------T Fo"ernance is most concerned 4ith.... T %trategy
------------------------------------T* de7nition of '=A;FE #A;AFE#E;T: The process to ensure that standardi5ed methods and procedures are used for ecient and prompt handling of all changes. ------------------------------------T* de7nition of ,$*E#: A condition often identi7ed as a result of multiple incidents that e6hibit common symptoms. roblems can also be identi7ed from a single signi7cant incident for 4hich the impact is signi7cant. ------------------------------------T %er"ice #anagement consists of 11 distinct acti"ities: (1.) %er"ice es! (2.) ncident #anagement (3.) roblem #anagement (.) 'hange #anagement (+.) 'on7guration #anagement (.) ,elease #anagement (/.) %er"ice-le"el #anagement (@.) &inancial #anagement (.) 'apacity #anagement (1>.) %er"ice 'ontinuity #anagement 1(1.) A"ailability #anagement ------------------------------------T %er"ice #anagement is de7ned in 4hat nternational rocess &rame4or!9 T* - T nfrastructure *ibrary. T* content is managed by the H-based ce of Fo"ernment 'ommerce. ------------------------------------T %er"ices &inancial #anagement is the portion of T management that trac!s the 7nancial "alue of T ser"ices that support organi5ational ob?ecti"es. t includes acti"ities: (1.) $udgeting (2.) 'apital n"estment (3.) E6pense #anagement (.) ro?ect accounting and pro?ect , (,eturn on n"estment.) ------------------------------------ Iudgmental sampling means: A sampling techni0ue 4here items are chosen based upon the auditorCs ?udgment< usually based on ris! or materiality. ------------------------------------;ame the + types of E"idence that the auditor 4ill collect during an audit. (1.) bser"ations (2.) Britten ;otes (3.) 'orrespondence (.) rocess and rocedure documentation (+.) $usiness records ------------------------------------;ame the Eight Types of Audits (1.) perational (2.) &inancial (3.) ntegrated (.) % (+.) Administrati"e (.) 'ompliance (/.) &orensic (@.) %er"ice ro"ider ------------------------------------;ame the se"en types of sampling an auditor can perform.
(1.) %tatistical (2.) Iudgmental (3.) Attribute (.) ariable (+.) %top-or-Fo (.) isco"ery (/.) %trati7ed ------------------------------------;ame the three Types of 'ontrols (1.) hysical (2.) Technical (.) Administrati"e ------------------------------------;ame the t4o 'ategories of 'ontrols (1.) Automatic (2.) #anual ------------------------------------;et4or! *ayer rotocols: (1.) (2.) '# (3.) ,,' (,adio ,esource 'ontrol) (.) AppleTal! ------------------------------------An perational Audit is: An audit of % controls< security controls< or business controls to determine control e6istence and eDecti"eness. ------------------------------------ The options for ,is! Treatment are: ,is! #itigation ,is! A"oidance ,is! Transfer ,is! Acceptance ------------------------------------An organi5ation e6periences fre0uent mal4are infections on end-user 4or!stations that are recei"ed through email< despite the tact that 4or!stations ha"e anti-"irus soft4are. Bhat is the best means for reducing mal4are9 mplementing anti"irus soft4are on the email ser"ers 4ill pro"ide an eDecti"e defense-in-depth< 4hich should help to reduce the number of "iruses encountered on end-user 4or!stations. ------------------------------------An organi5ation has chosen to open a business oce in another country 4here labor costs are lo4er and has hired 4or!ers to perform business functions there. This organi5ation has done 4hat9 The organi5ation is insourcing - 4hile they may ha"e opened the oce in a foreign country< they ha"e hired locals to do the 4or! as opposed to contracting 4ith a third party. ------------------------------------An organi5ation has disco"ered that some of its employees ha"e criminal records. Bhat is the best course of action for the organi5ation to ta!e9 The organi5ation should ha"e bac!ground chec!s performed on all of its e6isting employees and also begin instituting bac!ground chec!s of all ne4-hires. t is not necessarily re0uired to terminate the employees - their oDenses may not 4arrant termination. -------------------------------------
An organi5ation is building a data center in an area fre0uented by po4er outages. The organi5ation cannot tolerate po4er outages. Bhat po4er system controls should be selected9 The best solution is an electric generator and an uninterruptible po4er supply. The % responds to the outage< and the generator pro"ides bac!up po4er for e6tended periods. ------------------------------------An organi5ation that has e6perienced a sudden increase in its long-distance charges has as!ed an auditor to in"estigate. Bhat acti"ity is the auditor li!ely to suspect is responsible for this9 The auditor is most li!ely to suspect that intruders ha"e disco"ered a "ulnerability in the organi5ationCs $8 and is committing toll fraud. ------------------------------------An organi5ation that is underta!ing a business continuity plan should perform 4hat 7rst9 A business impact analysis is the 7rst ma?or tas! in a disaster reco"ery or business continuity planning pro?ect. ------------------------------------An organi5ation 4ants to reduce the number of user s and pass4ords that its employees need to remember. Bhat is the best a"ailable solution to this problem9 ,educed sign-on. This pro"ides a single authentication ser"ice (such as *A or A) that many applications can use for centrali5ed user authentication. ------------------------------------%: ata *in! *ayer: nformation is arranged in frames and transported across the medium. 'ollision detection. 'hec!sum "eri7cation of deli"ery. ------------------------------------% *ayer +: %ession used to control connections that are established bet4een systems (1.) T' (2.) ' (3.) % (%ession nitiation rotocol) (.) ,' (,emote rocedure 'all) (+.) ;et$% ------------------------------------% *ayer : resentation used to translate or transform data from lo4er layers into formats that the application layer can 4or! 4ith. ------------------------------------% *ayer /: Application contains programs that communicate directly 4ith the end user. ------------------------------------%: ;et4or! *ayer The deli"ery of messages from one station to another "ia one or more net4or!s.. ,outes pac!ets bet4een net4or!s.
------------------------------------%: hysical *ayer: concerned 4ith electrical and physical speci7cations for de"ices. ;o frames or pac!ets in"ol"ed. ------------------------------------%: Transport *ayer 'oncerns the reliability of data transfer bet4een systems. (1.) 'onnection riented (2.) Fuaranteed eli"ery (3.) rder of eli"ery ------------------------------------ The party that performs strategic planning< addresses near-term and long-term re0uirements aligning business ob?ecti"es< and technology strategies. The %teering 'ommittee ------------------------------------ The possibility that a process or procedure 4ill be unable to pre"ent or deter serious errors and 4rongdoing is !no4n as: 'ontrol ,is!. ------------------------------------recision means 4hat9 A representation of ho4 closely a sample represents an entire population. ------------------------------------ The primary purpose for a change management process is to: The main purpose for change management is to re"ie4 and appro"e proposed changes to systems and infrastructure. This helps to reduce the ris! of unintended e"ents and unplanned do4ntime. ------------------------------------ The primary source for test plans in a soft4are de"elopment pro?ect is: The ,EJ,E#E;T% that are de"eloped for a pro?ect should be the primary source for detailed tests. ------------------------------------,$*E# #A;AFE#E;T: Bhen se"eral incidents ha"e occurred that appear to ha"e the same or a similar root cause< a ,$*E# is occurring. ------------------------------------A programmer is updating an application that sa"es pass4ords in plainte6t. Bhat is the best method for securely storing pass4ords9 ass4ords should be stored in a hash. This ma!es it impossible for any person to retrie"e a pass4ord< 4hich could lead to account compromise.
------------------------------------A pro?ect manager needs to identify the tas!s that are responsible for pro?ect delays. Bhat approach should the pro?ect manager use9 'ritical ath #ethodology helps a pro?ect manager determine 4hich acti"ities are on a pro?ectCs critical list. ------------------------------------ The purpose of a $alanced %corecard is: To measure organi5ational performance and eDecti"eness against strategic goals. ------------------------------------ The purpose of &unction oint Analysis (&A) is to: &A is used to estimate the eDort re0uired to de"elop a soft4are program. ------------------------------------ The purpose of nput "alidation chec!ing is: To ensure that input "alues are 4ithin established ranges< of the correct character types< and free of harmful contents. ------------------------------------ The purpose of the nternet *ayer in the T' model is: eli"ery of pac!ets from one station to another< on the same net4or! or on diDerent net4or!s. ------------------------------------ The purpose of the % 2>>>> %tandard: &rame4or! for auditing and measuring T %er"ice #anagement rocesses. ------------------------------------A 0uantitati"e ris! analysis is more dicult to perform because: t is dicult to get accurate 7gures on the fre0uency of speci7c threats. t is dicult to determine the probability that a threat 4ill be reali5ed. t is relati"ely easy to determine the "alue of an asset and the impact of a threat e"ent. ------------------------------------,ating %cale for rocess #aturity consists of si6 le"els: >. ;o process at all (1.) rocess are ad hoc and disorgani5ed (2.) 'onsistent processes (3.) ocumented processes (.) #easured and managed processes (+.) rocesses are continuously impro"ed ------------------------------------,eco"ery time ob?ecti"e is de7ned as: A ,eco"ery Time b?ecti"e (,T) is de7ned as the ma6imum period of do4ntime for a process or application -------------------------------------
,eferential ntegrity A database term< 4hich means that the database 4ill not permit a program (or user) to deleted ro4s from a table if there are records in other tables 4hose foreign !eys reference the ro4 to be deleted. ------------------------------------,egisters are: The memory locations in the ' 4here arithmetic "alues are stored. ------------------------------------,E*EA%E #A;AFE#E;T: T* term used to describe the %*'. The ,elease process is used for se"eral types of system changes: (1.) ncidents and problem resolution (bug 76es.) (2.) Enhancements (ne4 functionality.) (3.) %ubsystem patches and changes (re0uire testing similar to 4hen changes are made to the application itself.) ------------------------------------A %ample #ean is: The sum of all samples di"ided by the number of samples. ------------------------------------%ample %tandard e"iation means: A computation of the "ariance of sample "alues from the sample mean. This is a measurement of the spread of "alues in a sample ------------------------------------%ampling means: A techni0ue that is used to select a portion of a population 4hen it is not feasible to test an entire population. ------------------------------------%ampling ,is! means: The probability that a sample selected does not represent the entire population. This is usually e6pressed as a percentage< the numeric in"erse of the con7dence coecient ------------------------------------%ampling ,is! means 4hat9 The probability that a sample selected does not represent the entire population. This is usually e6pressed as a percentage< as the numeric in"erse of the con7dence coecient. ------------------------------------A %er"er 'luster is: a tightly coupled collection of computers that are used to sol"e a common tas!. ne or more acti"ely perform tas!s< 4hile 5ero or more may be in a standby state. -------------------------------------
%er"ice 'ontinuity #anagement is: the set of acti"ities that is concerned 4ith the ability of the organi5ation to continue to pro"ide ser"ices< primarily in the e"ent that a natural or man made disaster has occurred. ------------------------------------%er"ice *e"el #anagement means: use of a set of monitoring and re"ie4 acti"ities that con7rm 4hether % operations is pro"iding ser"ice to its customers. ------------------------------------A %er"ice ro"ider audit means: An audit of a third-party organi5ation that pro"ides ser"ices to other organi5ations. ------------------------------------%i6 steps of the ,elease #anagement process: (1.) ,e0uirements (2.) esign (3.) e"elopment (.) Testing (+.) ,elease preparation (pac!aging) (.) ,elease eployment ------------------------------------A soft4are de"eloper has informed the pro?ect manager that a portion of the application de"elopment is going to ta!e 7"e additional days to complete. The pro?ect manager should do 4hat9 Bhen any signi7cation change needs to occur in a pro?ect plan< a pro?ect change re0uest should be created to document the reason for the change. ------------------------------------ The %oft4are rogram *ibrary is a facility that is used to store and manage access to an organi5ationCs application source and ob?ect code. t consists of + parts: (1.) Access and authori5ation controls (2.) rogram chec!out (3.) rogram 'hec!-in (.) ersion 'ontrol (+.) 'ode Analysis ------------------------------------%tatistical %ampling means: A sampling techni0ue 4here items are chosen at randomK each item has a statistically e0ual probability of being chosen. ------------------------------------%top-or-go %ampling means: A sampling techni0ue used to permit sampling to stop at the earliest possible time. This techni0ue is used 4hen the auditor feels that there is a lo4 ris! or lo4 rate of e6ceptions in the population. ------------------------------------%trati7ed %ampling means: A sampling techni0ue 4here a population is di"ided into classes or strata< based upon the "alue of one of the attributes. %amples are then selected from each class.
------------------------------------ T' nternet *ayer eli"er messages from one station to another on the same net4or! or on diDerent net4or!s. #essaging at this layer is not guaranteed. ------------------------------------ T' *in! *ayer lo4est layer. eli"ers messages (frames) from one station to another "ial local net4or!. ------------------------------------ T' ;et4or! #odel: (1.) *in! (2.) nternet (3.) Transport (.) Application ------------------------------------ T' Transport *ayer consists of t4o main pac!et transport protocols: T' and . ------------------------------------ This 7rst step in $usiness mpact Analysis is: The 7rst step in a business impact analysis is the in"entory of all in-scope business processes and systems ------------------------------------ To determine eDecti"eness of a disaster reco"ery program< an T auditor should: E6amine documentation and inter"ie4 personnel ------------------------------------ Tolerable Error ,ate means: The highest number of errors that can e6ist 4ithout a result being materially misstated. ------------------------------------ Transport *ayer rotocols (1.) T' (2.) ------------------------------------ T4o main types of 'ontrols: (1.) Feneral (2.) Application ------------------------------------nder 4hat circumstances should an auditor use sub?ecti"e sampling9 %ub?ecti"e sampling is used 4hen the auditor 4ants to concentrate on samples !no4n to represent high ris!. -------------------------------------
ariable %ampling means A sampling techni0ue used to study the characteristics of a population to determine the numeric total of a speci7c attribute from the entire population. ------------------------------------A irtual %er"er is: an acti"e< instance of a ser"er operating system running on a machine that is designed to house t4o or more such "irtual ser"ers. ------------------------------------BA; rotocols: (1.) #*% (2.) %;ET (3.) T-'arrier (.) &rame ,elay (+.) %; (.) 8.2+ ------------------------------------A 4eb application is displaying information incorrectly and many users ha"e contacted the T ser"ice des!. This matter should be considered: A problem.A problem is de7ned as a condition that is the result of multiple incidents that e6hibit common symptoms. ------------------------------------Bhat acti"ity in"ol"es the identi7cation of potential ris! and the appropriate response for each threat based on impact assessment using 0ualitati"e andor 0uantitati"e measures for an enterprise-4ide ris! management strategy9 ,is! #anagement ------------------------------------Bhat are ro?ect #anagement %trategies useful for9 ro?ect #anagement strategies guide program e6ecution through organi5ation of resources and de"elopment of clear pro?ect ob?ecti"es. ------------------------------------Bhat are the / %*' hases9 (1.) &easibility %tudy (2.) e7nition of ,e0uirements (3.) esign (.) e"elopment (+.) Testing (.) mplementation (/.) ost-implementation phase ------------------------------------Bhat is a Fantt 'hart9 Fantt 'harts are used to schedule and se0uence acti"ities in a 4aterfall-type representation. lanned acti"ities are sho4n Lo4ing do4n4ard to completion. #ore simplistic than a E,T iagram. ------------------------------------Bhat is a E,T iagram9 rogram E"aluation ,e"ie4 Techni0ue (E,T) is used to illustrate the relationship bet4een planned acti"ities. E,T diagrams sho4 multiple routes through the pro?ect acti"ities< as necessary for accomplishing a goal.
------------------------------------Bhat is $usiness ,eali5ation9 $usiness ,eali5ation is the result of strategic planning< process de"elopment< and systems de"elopment< 4hich all contribute to4ards a launch of business operations to reach a set of business ob?ecti"es. ------------------------------------Bhat is 'apability #aturity #odel9 A model that is used to measure the relati"e maturity of an organi5ation and its processes. ------------------------------------Bhat is 'apability #aturity #odel ntegration ('##)9 '## is a maturity model that represents the aggregations of other maturity models. ------------------------------------Bhat is the appropriate role of an % auditor in a control self-assessment9 The % auditor should act as a %#E in the control self-assessment< but should not play a ma?or role in the process. ------------------------------------Bhat is the best approach for identifying high ris! areas for an audit9 The % auditor should conduct a ris! assessment 7rst to determine 4hich areas ha"e highest ris!. %he should de"ote more testing resources to those high-ris! areas. ------------------------------------Bhat is the 'ritical ath #ethodology9 A techni0ue that is used to identify the most critical path in a pro?ect to understand 4hich tas!s are most li!ely to aDect the pro?ect schedule. ------------------------------------Bhat is the most important consideration for site selection of a hot site9 Feographic location of the hot site is most important. & they are too close together then a single e"ent may in"ol"e both locations ------------------------------------Bhat is the purpose of a 'apability #aturity #odel9 A '## helps an organi5ation to assess the maturity of its business processes< 4hich is an important 7rst step to any large-scale process impro"ement eDort. ------------------------------------Bhat is the purpose of a criticality analysis9 A criticality analysis is used to determine 4hich business processes are the most critical< by ran!ing them in order of criticality -------------------------------------
Bhat is the purpose of an auditor doing inter"ie4s9 To obser"e personnel to better understand their discipline< as 4ell as organi5ational culture and maturity ------------------------------------Bhat is the purpose of a %ecurity A4areness program9 To communication security policies< procedures< and other security-related information to an organi5ationCs employees. ------------------------------------Bhat is the purpose of a %tatement of mpact9 A %tatement of mpact describes the eDect on the business if a process is incapacitated for any appreciable time ------------------------------------Bhat personnel should be in"ol"ed in the re0uirements phase of a soft4are de"elopment pro?ect9 (1.) e"elopers (2.) Architects (3.) Analysts (.) sers ------------------------------------Bhat testing acti"ities should de"elopers perform during the de"elopment phase e"elopers should only be performing nit Testing< to "erify that the indi"idual sections of code they ha"e 4ritten are performing properly. ------------------------------------Bhat three elements allo4 "alidation of business practices against acceptable measures of regulatory compliance< performance< and standard operational guidelines. (1.) olices (2.) rocedures (3.) %tandards ------------------------------------Bhat type of testing is performed to determine if control procedures ha"e proper design and are operating properly9 'ompliance Testing ------------------------------------Bhat type of testing is performed to "erify the accuracy and integrity of transactions as they Lo4 through a system9 %ubstanti"e Testing ------------------------------------Bho is responsible for imposing an T go"ernance model encompassing T strategy< information security< and formal enterprise architectural mandates9 T e6ecuti"es and the $oard of irectors
