Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 of 8
Total Marks = 80
Q.2 (a)
Phase 2:
Requirements
Definition
Phase 3A:
Software
Selection &
Acquisition
(purchased
systems)
Phase 3B:
Design (inhouse
development)
Phase 4A:
Development
(in-house
development)
Phase 4B:
Configuration
(purchased
systems)
Phase 5:
Final Testing &
Implementation
Phase 6:
Post
implementation
General Description
Determine the strategic benefits of implementing the system either in productivity
gains or in future cost avoidance, identify and quantify the cost savings of a new
system, and estimate a payback schedule for costs incurred in implementing the
system.
Define the problem or need that requires resolution and define the functional and
quality requirements of the solution system. This can be either a customized
approach or vendor-supplied software package, which would entail following a
defined and documented acquisition process.
Based on the requirements defined, prepare an RFP from suppliers of purchased
systems. In addition to the functionality requirements, there will be operational,
support and technical requirements, and these, together with considerations of the
suppliers financial viability and provision for escrow, will be used to select the
purchased system that best meets the organizations total requirements.
Based on the requirements defined, establish a baseline of system and subsystem
specifications that describe the parts of the system, how they interface, and how the
system will be implemented using the chosen hardware, software and network
facilities.
Use the design specifications to begin programming and formalizing supporting
operational processes of the system. Various levels of testing also occur in this
phase to verify and validate what has been developed. This would generally include
all unit and system testing, as well as several iterations of user acceptance testing.
Configure the system, if it is a packaged system, to tailor it to the organizations
requirements. This is best done through the configuration of system control
parameters, rather than changing program code. Modern software Packages are
extremely flexible, making it possible for one package to suit many organizations
simply by switching functionality on or off and setting parameters in tables.
Establish the actual operation of the new information system, with the final iteration
of user acceptance testing and user sign-off conducted in this phase. The system
also may go through a certification and accreditation process to assess the
effectiveness of the business application in mitigating risks to an appropriate level
and providing management accountability over effectiveness of the system in
meeting its intended objectives and in establishing an appropriate level of internal
control.
Following the successful implementation of a new or extensively modified system,
implement a formal process that assesses the adequacy of the system and
projected cost-benefit or ROI measurements vis--vis the feasibility stage findings
and deviations.
2 of 8
the processing is terminated for some other reason. Sequential access is the only method for
data stored on Tape, but it can also be used for data on a direct access device such as a disc.
Sequential processing makes it unnecessary to know the exact location of each data item
because data are processed according to the order in which they are sorted.
Direct Access
Processing events as they occur requires direct access, the ability to find an individual item in a
file immediately. Magnetic disc storage was developed to provide this capability. To understand
how direct access works, imagine that the phone directory is stored on a hard disk.
Indexed Access
A third method for finding data is to use Indexed Access. An index is a table used to find the
location of data. The index indicates where alphabetical groups of names are stored. The user
enters the name Sam Patterson. The program uses the index to decide where to start
searching for phone number.
Q.3 (a) E-Commerce Models:
E-commerce models include the following:
Business-to-consumer (B-to-C) relationships: The greatest potential power of ecommerce comes from its ability to redefine the relationship with customers in creating
a new convenient, low-cost channel to transact business.
E-commerce Risks:
Some of the most important elements at risk are:
Confidentiality. Potential consumer are concerned about providing unknown vendors with
personal (sometimes sensitive) information for a number of reasons including the possible
theft of credit card information from the vendor following a purchase.
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.
3 of 8
Availability. The Internet holds out the promise of doing business on a 24-hour, sevenday-a-week basis. Hence high availability is important with any systems failure becoming
immediately apparent to customers or business partners.
Power shift to customer. The Internet gives consumers unparalleled access to market
information and generally makes it easier to shift between suppliers. Firms participating in
e-business need to make their offerings attractive and seamless in terms of service
delivery. This will involve not only system design, but also reengineering of business
processes.
b) Wireless Transmission:
Wireless transmission does not need a fixed physical connection because it sends signals
through air or space. All wireless transmission uses a particular frequency in the
electromagnetic spectrum, regardless of whether the transmission is a television program, a
cellular telephone call, or computerized data. To prevent different uses of wireless transmission
from interfering with each other, governments allocate specific frequency ranges to specific
uses. Within those ranges, the governments allocate specific frequencies to individual user,
including radio and television broadcasters and businesses that use certain frequencies for
data communications.
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.
4 of 8
Cordless and cellular phones both achieve portability by moving from wired to wireless
channels. Cordless phones for a home transmit to a base unit within a small radius, such as
100 feet. Cell phones transmit signal to a grid of cellular stations that are linked to the wirebased telephone network. Cell phones originally operated only within metropolitan areas with
nearby cellular stations, but many cellular networks have now expanded outside these areas.
Although not as visible in everyday life, microwave transmission was the earliest of the four
types of wireless transmission. It has been used for several decades to transmit both voice and
data. Because earth-based microwave transmission is restricted to line of sight, microwave
towers must be placed no more than 30 miles apart unless they are located on mountains or
tall buildings. The line of sight restriction limits the use of microwave transmission within city
centers. Microwave transmission can also be disrupted by atmospheric conditions and is
comparatively easy to intercept.
Telecommunications satellites move in geostationary orbits that remain 22,300 miles above the
same part of the earth. At this altitude, the satellite can send signals to earth stations up to
11,000 miles apart. These satellites can carry 40,000 simultaneous telephone calls or 200
television channels. Satellite communication has many advantages. Because it doesnt use a
wire channel and doesnt need earth-bound relay towers, it can be used in remote areas.
Unlike undersea telephone cables, satellite earth stations can be placed near the people who
use them and are therefore easier to maintain and repair. Unlike wired transmission, the cost of
satellite communication is the same regardless of the distance between the sender and
receiver on earth.
Q.4 (a)
Definition
Capability to provision processing, storage, networks and other
fundamental computing resources, offering the customer the
ability to deploy and run arbitrary software, which can include
operating systems and applications. IaaS puts these IT operations
into the hands of a third party.
Capability to deploy onto the cloud infrastructure customercreated or acquired applications created using programming
languages and tools supported by the provider
Capability to use the providers applications running on cloud
infrastructure. The applications are accessible from various client
devices through a thin interface such as a web browser (e.g.,
web-based e-mail).
Advantages, Disadvantages and Business Risks and Risk Reduction Options Related to Outsourcing
Possible Advantages
Possible Disadvantages and Business Risks
Commercial outsourcing companies
Costs exceeding customer expectations
can achieve economies of scale
Loss of internal IS experience
through the deployment of reusable
Loss of control over IS
component software.
Vendor failure (ongoing concern)
Outsourcing vendors are likely to be
Limited product access
able to devote more time and to focus
Difficulty in reversing or changing outsourced
more effectively and efficiently on a
arrangements
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.
5 of 8
b) Classification of Audits:
The IS auditor should understand the various types of audits.
Financial audits. The purpose of a financial audit is to assess the accuracy of financial
reporting. A financial audit will often involve detailed, substantive testing, although
increasingly, auditors are placing more emphasis on a risk-and control-based audit
approach.
Integrated audits. An integrated audit combines financial and operational audit steps.
An integrated audit is also performed to assess the overall objectives within an
organization, related to financial information and assets safeguarding, efficiency and
compliance.
Administrative audits. These are oriented to assess issues related to the efficiency of
operational productivity within an organization.
IS audits. This process collects and evaluates evidence to determine whether the
information systems and related resources adequately safeguard assets, maintain data
and system integrity and availability, provide relevant and reliable information, achieve
organizational goals effectively, consume resources efficiently, and have, in effect,
internal controls that provide reasonable assurance that business, operational and
control objectives will be met and that undesired events will be prevented, or detected
and corrected, in a timely manner.
Specialized audits. Within the category of IS audits, there are a number of specialized
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.
6 of 8
reviews that examine areas such as services performed by third parties. Because
business are becoming increasingly reliant on third-party service providers, it is
important that internal controls be evaluated in these environments.
Cold sites are facilities with the space and basic infrastructure adequate to support
resumption of operations, but lacking any IT or communications equipment, programs,
data or office support. A plan that specifies that a cold site will be utilized must also
include provision to acquire and install the requisite hardware, software and office
equipment to support the critical applications when the plan is activated.
ii)
iii)
Warm sites are facilities with space and basic infrastructure, and some or all of the
required IT and communications equipment installed. The equipment may be less
capable than the normal production equipment yet still be adequate to sustain critical
applications on an interim basis. Typically, employees would be transferred to the warm
site and current versions of programs and data would need to be loaded before
operations could resume at the warm site.
iv)
v)
Hot sites are facilities with space and basic infrastructure and all of the IT and
communications equipment required to support the critical applications, along with office
furniture and equipment for use by the staff. Hot sites usually maintain installed versions
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.
7 of 8
of the programs required to support critical applications. The most recent backup copies
of data would need to be loaded before critical applications could be resumed. Although
hot sites may have a small staff assigned, employees are usually transferred to the hot
site from the primary site to support operations upon activation.
vi)
Mirrored sites are fully redundant sites with real-time data replication from the
production site. They are fully equipped and staffed, and can assume critical processing
with no interruption noticeable by the users.
vii)
b) Sourcing Practices
Where the organizations functions in-house, it may choose to move IS functions offsite or
Offshore. The IS auditor can assist in this process by ensuring that IS management considers
the following risks and audit concerns when defining the globalization strategy and completing
the subsequent transition to remote offshore locations:
Legal, regulatory and tax issues- Operating in a different country or region may introduce
new risks about which the organization may have limited knowledge.
Continuity of operations- Business continuity and disaster recovery may not be adequately
provided for and tested.
Personnel- Needed modifications to personnel policies may not be considered.
Telecommunication issues- Network controls and access from remote or offshore locations
may be subject to more frequent outages or a larger number of security exposures.
Cross-border and cross-cultural issues-Managing people and processes across multiple time
zones, languages and cultures may present unplanned challenges and problems.
Q.6
Commitment and support from senior management are important for successful
management
commitment and
support
Policies and
procedures
declaration of direction, addressing the value of information assets, the need for
security, and the importance of defining a hierarchy of classes of sensitive and
critical assets. After approval by the governing body of the organization and by
related roles and responsibilities, the information security program will be
substantiated with the following:
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.
8 of 8
The policy should ensure resource conformity with laws and regulations. Security
policies and procedures must be up to date and reflect business objectives, as well
as generally accepted security standards and practices.
Organization
Security
awareness and
receive appropriate training and regular updates to foster security awareness and
education
compliance with written security policies and procedures. For new employees, this
training should occur before access to information or service is granted. A number
of different mechanisms available for raising security awareness include:
Monitoring and
compliance
an organizations security program(s). To fulfil this task, they must have and
understanding of the protection schemes, the security framework and the related
issues, including compliance with applicable laws and regulations. As an example,
these issues may relate to organizational due diligence for security and privacy of
sensitive information, particularly as it relates to specific industries (e.g., banking
and financial institutions, health care).
Incident
handling and
response
THE END
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.