Question Bank by Swapnil Patni PDF

SECTION 1-QUESTIONS AND ANSWERS
CHAPTER 1
Concepts of Governance and Management of

Information Systems
MAIN QUESTIONS
Question 1
Write short notes on the following with reference to Governance Dimensions:
(i) Conformance or Corporate Governance Dimension
(ii) Performance or Business Governance Dimension
(ISCA class notes Pg no-11 & 12)
Question 2
Write short note on the Role of IT in enterprises.
(ISCA class notes Pg no-19
Question 3
Explain the key functions of IT Steering Committee in brief.
(ISCA class notes Pg no-21)
Question 4
Explain the following terms with reference to Information Systems:
(i) Risk(ISCA class notes Pg no-31)
(ii) Threat(ISCA class notes Pg no-30)
(iii) Vulnerability(ISCA class notes Pg no-29)
CA Swapnil Patni Page 1

(iv) Exposure(ISCA class notes Pg no-30)
(v) Attack(ISCA class notes Pg no-31)
Question 5
Define the following terms: (ISCA class notes Pg no-31 & 32)
(i) Likelihood of threat
(ii) Countermeasure
(iii) Residual Risk
Question 6
Briefly explain various risk management strategies. (ISCA class notes Pg no-33)
• Tolerate/Accept the risk
• Te i ate/Eli i ate the risk
• Transfer/Share the risk
• Treat/mitigate the risk
• Turn back
Question 7
Discuss the five principles of COBIT 5 in brief.
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management
Question 8
Discuss various categories of enablers under COBIT 5.

P3ICSO
HATKE QUESTIONS
Question 1
The su ess of the p o ess of e su i g usi ess alue f o use of IT a e easu ed

evaluating the benefits realized from IT enabled investments and services portfolio and
how] t a spa e of IT osts, e efits a d isk is i ple e ted . E plai so e of the ke
metrics, which can be used for such evaluation.
Question 2
Discuss some of the sample metrics for reviewing the process of evaluating and
assessing compliance with external laws & regulations and IT compliances with internal
policies
SIMILAR TYPE OF QUESTIONS
Question 1
(A) Describe the major benefits achieved through proper governance in an organization.
1) Responsibilities are assigned
2) Desirable behavior for IT
3) Implementing desirable business process
4) Internal relationship- improved
5) Aligned decision making
6) Providing stability

(B) Explain the key benefits of IT Governance achieved at highest level in an
organization.(ISCA class notes Pg no-13)
1) Value
2) Risk
3) Cost
4) Customer satisfaction
5) IT business- tune
6) Business wide
7) Compliance/ control
8) Agile
9) Optimal Utilization
C) Explain the key benefits of GEIT.(ISCA class notes Pg no-14)
1) IT aligned with enterprise governance
2) IT related decisions line with enterprise strategies
3) Compliance with law
4) IT related process effective
5) IT ensures governance-board members are met
Question 2
(A) What are the key governance practices that are required to implement GEIT in an
enterprise? (ISCA class notes Pg no-14)
(B) Discuss key management practices, which are needed to be implemented for
e aluati g hethe usi ess alue is de i ed f o IT i a o ga izatio .
(C) Describe the key governance practices of risk management.

1) Evaluate 2) Direct 3) Monitor
Question 3
(A) Discuss the key management practices, which are required for aligning IT
strategy with enterprise strategy.(ISCA class notes Pg no-25)
1) Understand enterprise direction
2) Assess the current environment, capabilities and performance
3) Define the target IT capabilities
4) Conduct a gap analysis
5) Define the strategic plan and road map
6) Communicate the IT strategy and direction
(B) Describe key management practices for implementing risk management.
1) Collect data
2) Analyze risk
3) Maintain a risk profile
4) Articulate risk
5) Define a risk management action portfolio
6) Respond to risk
(C) Describe key management practices for ensuring compliance with external
compliances as relevant to the enterprise.(ISCA class notes Pg no-38)
1) Identify external compliance requirements
2) Optimize response to external requirements
3) Confirm external compliance

4) Obtain assurance of external compliance
Question 4
a)Write a short note on Evaluating IT Governance Structure and Practices by Internal

Auditors.(ISCA class notes Pg no-48)
i) Leadership
ii) Organizational Structure
iii) Processes
iv) Risks
v) Controls
vi) Performance Measurement/Monitoring
b)Discuss the areas, which should be reviewed by internal auditors as a part of the review
of Governance, Risk and Compliance.
Major areas, which should be reviewed by internal auditors as a part of the

review of Governance, Risk and Compliance, are given as follows:
1) Scope
2) Governance
3) Evaluate Enterprise Ethics
4) Risk Management
5) Interpretation
6) Risk Management Process
7) Evaluate Risk Exposures
8) Evaluate Fraud and Fraud Risk
9) Address Adequacy of Risk Management Process

c) Write a short note on Sample areas of review for assessing and managing risks.(ISCA
class notes Pg no-51)
The specific areas evaluated are:

i) Risk management ownership and accountability;
ii) Different kinds of IT risks (technology, security, continuity, regulatory, etc.);
iii) Defined and communicated risk tolerance profile;
iv) Root cause analyses and risk mitigation measures;
v) Quantitative and/or qualitative risk measurement;
vi) Risk assessment methodology; and vii) Risk action plan and Timely reassessment.
d) Discuss the key management practices for assessing and evaluating the system of
internal controls in an enterprise in detail.
The key management practices for assessing and evaluating the system of internal
controls in an enterprise are given as follows:
i. Monitor Internal Controls

ii. Review Business Process Controls Effectiveness
iii. Perform Control Self-assessments
iv. Identify and Report Control Deficiencies
v. Ensure that assurance providers are independent and qualified
vi. Plan Assurance Initiatives
vii. Scope assurance initiatives
viii. Execute assurance initiatives

CHAPTER 2
Information Systems Concepts

MAIN QUESTIONS
Question 1
Define the following terms briefly: (ISCA class notes Pg no-55)
(a) Abstract System
(b) Physical System
(c) Open System
(d) Closed System
(e) Deterministic System
(f) Probabilistic System
Question 2
Explain basic features of a TPS in brief.(ISCA class notes Pg no-63)
LABS
Question 3
Briefly discuss major misconceptions about MIS.(ISCA class notes Pg no-66)
Following are the major misconceptions about MIS:
Question 4
Discuss various examples of DSS in Accounting.(ISCA class notes Pg no-72)
2 cost + 1 sfm+ 1 accounts
Question 5
Write short notes on the following:(ISCA class notes Pg no-77 & 79)

(i)Text Processing Systems
(ii)Teleconferencing and Video-conferencing Systems
Question 6
What is an Expert System? Discuss some of the business implications of Expert Systems in
brief.(ISCA class notes Pg no-80)
Question 7
Describe the major benefits of Expert Systems in brief.
Expert thinks they are not emotional
Question 8
Discuss some of the properties that potential applications should posses to qualify for
Expert System development.(ISCA class notes Pg no-81)
STRUCTURE ABCDE
Question 9
Discuss some of the important implications of Information Systems in business.
Following are some of the important implications of Information Systems in business:
• I fo atio Systems help managers in efficient decision-making to achieve

organizational goals.
• A o ga izatio ill e a le to survive and thrive in a highly competitive environment

on the strength of a well-designed Information system.
• I fo ation Systems help in making right decision at the right time i.e. just on time.
• A good I fo atio “ ste a help i ge e ati g innovative ideas for solving critical
problems.

• K o ledge gathe ed though I fo atio s ste s a e utilized by managers in
unusual situations.
• I fo atio “ ste is viewed as a process; it can be integrated to formulate a strategy

of action or operation.
Question 10
Write a short note on Role of information in business
• I toda s d a i usi ess e i o e t, it becomes mandatory to have complete

information and knowledge of customer buying habits and market strategy for any
enterprise.
• Timeliness, accurate, meaningful and action oriented information enhances an
organization ability and capacity to deal with and develop in mission, competition,
performance and change.
• The information can be categorized on the basis of its requirement by the top, middle
and lower level management
HATKE QUESTIONS
Question 1
The e is a p a ti al set of p i iples to guide the desig of easu es a d i di ato s to e

i luded i a EI“ . E plai those p i iples i ief.
Question 2
Discuss the difference between EIS and Traditional Information Systems.
Question 3

Differentiate between DSS and Traditional MIS.(ISCA class notes Pg no-72)
Question 4
What do you understand by TPS? Briefly discuss the key activities involved in a TPS.(ISCA
class notes Pg no-61).
Question 1
(A)Discuss major characteristics of an effective MIS.
Manager halet halet…
(B)Explain major characteristics of an EIS.(ISCA class notes Pg no-73)
Top le el ko de isio …
(C)Explain major characteristics of information used in executive decision making.(ISCA

FILL HIGH
D) Discuss important characteristics of Computer based Information Systems in brief. (ISCA

E) What is Information? Briefly discuss its attributes.
Transport car me…
F) What is Decision Support System (DSS)? Explain the key characteristics of a DSS in
Question 2
(A)Discuss the components of Information Systems in brief.

(B)What are the principal components of a TPS? Discuss in brief.
ISCA class notes Pg no-62)
(C) Explain the components of a DSS in brief. (ISCA class notes Pg no-70)
(D)Components of EMCS
Question 3
(A) Discuss the categories of information on basis of requirement by different levels of

management.(ISCA class notes Pg no-87)
(B) Discuss the categories of information systems on basis of requirement by different

levels of management.(ISCA class notes Pg no-90)
Question 4
A)Describe the main pre-requisites of a Management Information System, which

makes it an effective management tool.(ISCA class notes Pg no-66)
Effective MIS require STD
B The e a e a ious o st ai ts, hi h o e i the a of ope ati g a MI“ . E plai a

four such constraints in brief.(ISCA class notes Pg no-68)
S3E
C) What are major limitations of MIS? Explain in brief.

Major Limitations of MIS are given as follows:
 The quality of the outputs of MIS is basically governed by the quality of

input and processes.
 MIS is not a substitute for effective management,
 MIS may not have requisite flexibility to quickly update itself

 MIS cannot provide tailor-made information packages suitable for every type of
decision made by executives.
 MIS takes into account mainly quantitative factors,
 MIS is less useful for making non-programmed decisions.
 The effectiveness of MIS is reduced in enterprises, where the culture of
hoarding information and not sharing with other is prevalent.
 MIS effectiveness decreases due to frequent changes in top management,
organizational structure and operational team.

CHAPTER 3
Protection of Information Systems
MAIN QUESTIONS
Question 1
Discuss various types of Information Security polices and their hierarchy.
Question 2
What are the key components of a good security policy? Explain in brief.
Question 3
Write a short note on impact of technology on internal controls.
Rama ki personal dulhan…
Question 4
Discuss five interrelated components of internal controls.
(Same question is on chp 1 also) (ISCA class notes Pg no-106)
Question 5
What do you understand by Financial Controls? Explain major financial control techniques
in brief.(ISCA class notes Pg no-113)
ABCDIS4
Question 6

What do you understand by Boundary Controls? Explain major boundary control
techniques in brief.(ISCA class notes Pg no-116)
Question 7
Discuss the three processes of Access Control Mechanism, when a user requests
for resources.(ISCA class notes Pg no-136)
• Ide tifi atio
• Authe ti atio
• Authorization
Question 8
Discuss Locks on Doors with respect to physical access controls in brief.
Question 9
Describe major controls over environmental exposures.
Question 10
What is Cyber Fraud? Differentiate between pure cyber frauds and cyber enabled frauds
HATKE QUESTIONS
Question 1
The Information Security Policy of an organization has been defined and documented as
given below:
Ou o ga izatio is o itted to e su e I fo atio “e u it th ough esta lished goals

and principles. Responsibilities for implementing every aspect of specific applicable

proprietary and general principles, standards and compliance requirements have been
defined. This is reviewed at least once a year for continued suitability with regard to cost
a d te h ologi al ha ges.
Discuss Information Security Policy and also identify the salient components that have not
been covered in the above policy.
A Policy is a plan or course of action, designed to influence and determine decisions,

actions and other matters. The security policy is a set of laws, rules, and practices that
regulates how assets including sensitive information are managed, protected, and
distributed within the user organization.
An Information Security Policy addresses many issues such as disclosure, integrity and
availability concerns, who may access what information and in what manner, basis on
which access decision is made, maximized sharing versus least privilege, separation of
duties, who controls, who owns the information, and authority issues.
Issues to address: This policy does not need to be extremely extensive, but clearly state
senior management's commitment to information security, be under change and
version control and be signed by an appropriate senior manager. The policy should at
least address the following issues:
• a definition of information security,
• reasons why information security is important to the organization, and its goals and
principles,
• a brief explanation of the security policies, principles, standards and compliance

requirements,
• definition of all relevant information security responsibilities, and
• reference to supporting documentation.

Question 2
The e a e a ious ge e al guideli es, ith efe e e to “eg egatio of Duties , hi h

a e follo ed i additio ith the o epts like, ake should ot e the he ke .
Explain those guidelines.(ISCA class notes Pg no-112)
 Separate those, who can run live programs e.g. operations department, from those
who can change programs e.g. programmers. This is required in order to ensure that
unauthorized programs are prevented from running.
 Separate those, who can access the data e.g. data entry and the DBA, from those who
can run programs e.g. computer operators. This is required in order to ensure that
unauthorized data entry cannot take place.
 Separate those, who can input data e.g. data entry, from those, who can reconcile or
approve data e.g. data authorization persons. This is required in order to ensure that
unauthorized data entry cannot take place.
 Separate those, who can test programs e.g. users, quality assurance and security,
from those, who can develop programs e.g. application programmers. This is required
in order to ensure that unauthorized programs cannot be allowed to run.
 Separate those, who can enter errors in a log e.g. data entry operator, who transfer
the data to an error log, from those who can correct the errors like the end user
departments. This is required in order to ensure that unauthorized data entry cannot
take place.
 Separate those, who can enter data e.g. data entry personnel, from those who can
access the database e.g. the DBA. This is required in order to ensure that
unauthorized data entry or data modification cannot take place.
Question 3
Explain five organization control techniques in brief.
Organizational control techniques include documentation of :

(i) Reporting responsibility and authority of each function,
(ii) Definition of responsibilities and objectives of each functions,
(iii) Policies and procedures,
(iv) Job descriptions, and
(v) Segregation of duties.
Question 4
Explain some of the key ways to control remote and distributed data processing
applications in brief.
(ISCA class notes Pg no-)
Remote and distributed data processing applications can be controlled in many ways.
Some of these are given as follows:
• Remote access to computer and data files through the network should be
implemented.
• Ha i g a terminal lock can assure physical security to some extent.
• Applications that can be remotely accessed via modems and other devices should be
controlled appropriately.
• Te i al a d o pute ope atio s at e ote lo atio s should e monitored carefully

and frequently for violations.
• I o de to p e e t u autho ized use s f o a essi g the s ste , the e should e

proper control mechanisms over system documentation and manuals.
• Data transmission over remote locations should be controlled. The location which
sends data should attach needed control information that helps the receiving location to
verify the genuineness and integrity.

• Whe epli ated opies of files e ist at ultiple lo atio s it ust e e su ed that all
identical copies contain the same information and checks are also implemented to
ensure that duplicate data does not exist.
Question 1
(A) Explain different classifications of sensitive information.
1) Strategic plans
2) Business operations
3) Finances
(B) Explain different classifications of information.(ISCA class notes Pg no-120)
1) Top secret
2) Highly confidential
3) Proprietary
4) Internal use
5) Public documents
Question 2
(A) Classification of controls on basis of functions. (ISCA class notes Pg no-108)
1) Accounting controls
2) Operational controls
3) Administrative controls
(B) Classification of controls on basis of objective. (ISCA class notes Pg no-108)
1) Preventive controls

2) Detective controls
3) Corrective controls
4) Compensatory controls
(C) Classification of controls on basis of IS resources.
1) Environmental controls
2) Physical access controls
3) Logical access controls
4) IS operational controls
5) IS management controls
6) SDLC controls
Question 3
(A) Briefly explain major update controls with reference to database controls in brief. (ISCA
1) Sequence check between transaction and master files
2) Ensure all records on files are processed
3) Maintain a suspense account
(B) Briefly explain major report controls with reference to database controls in brief. (ISCA
1) Standing data
2) Print run-to-run control totals
3) Print suspense account entries
4) Existence/Recovery controls
Question 4

(A) Explain various forms of technical exposures in brief.
Worm ne ghodepe…
(B) Explain various forms of asynchronous attacks in brief.
Piggy ne data ko wire se lappet diya
Question 5
Discuss major dimensions under which the impact of cyber frauds on enterprises can be
viewed and impact or exposure of logical access control
• Fi a ial Loss
• Legal ‘epe ussio s
• Loss of edi ilit o Co petiti e Edge
• Dis losu e of Co fide tial, “e siti e o E a assi g I fo atio
Question 6
a)What is Data I teg it ? E plai si atego ies of i teg it controls in brief(ISCA class
notes Pg no-121)
There are six categories of integrity controls summarized:
(i) Source Data Control
(ii) Input Validation Controls
(iii) On-line Data Entry Controls
(iv) Data Processing and Storage Controls
(v) Output Controls
(vi) Data Communications Controls

b)Briefly explain major data integrity policies.(ISCA class notes Pg no-123)
• Vi us-Signature Updating • “oft a e Testi g
• Di isio of E i o e ts • Offsite Backup Storage
• Qua te -End and Year-End Backups • Disaste ‘e o e

CHAPTER 4
Business Continuity Planning and Disaster Recovery

Planning
MAIN QUESTIONS
Question 1
Discuss the goals of Business Continuity planning.(ISCA class notes Pg no-155)
Weak ccd
Question 2
Describe the areas covered by business continuity.
Question 3
Discuss the advantages of Business Continuity Management.
Threats can disrupt your testing and traning.
Question 4
Explain in brief the components of BCM process.(ISCA class notes Pg no-158)
1) Management Process
2) Information Collection Process
3) Strategy Process
4) Development and Implementation Process
5) Testing and Maintenance Process

6) Training Process
Question 5
Write a short note on major activities that should be carried out in implementation. (ISCA
Question 6
What are the major documents that should be the part of a Business Continuity
Management system? Explain in brief.(ISCA class notes Pg no-160)
Question 7
Write a short note on Business Impact Analysis. (ISCA class notes Pg no-161)
Question 8
Write a short note on Risk Assessment.
 The risk assessment is assessment of the disruption to critical activities, which are
supported by resources such as people, process, technology, information,
infrastructure supplies and stakeholders.
 The enterprise should determine the threats and vulnerabilities of each resource,
and the impact that would have, in case it becomes a reality.
 For ready reference Specific threats may be described as events or actions, which
could, at some point, cause an impact to the resources,
 e.g. threats such as fire, flood, power failure, staff loss, staff absenteeism, computer
viruses and hardware failure.
 Vulnerabilities might occur as weaknesses within the resources and can, at some
point be exploited by the threats, e.g. single points of failure, inadequacies in fire
protection, electrical resilience, staffing levels, IT security and IT resilience.

 The Security Assessment will enable the business continuity team to improve any
existing emergency plans and to implement required emergency plans where none
exist. This is similar to vulnerability assessment phase of developing a BCP.
 Impacts might result from the exploitation of vulnerabilities by threats.
 As a result of the BIA and the risk assessment, the enterprise should identify measures
that:
(i) reduce the likelihood of a disruption;
(ii) shorten the period of disruption; and
(iii) limit the impact of a disruption o the e te p ise s ke products and services.
Question 9
Discuss the maintenance tasks undertaken in the development of a BCP in brief. (ISCA class
notes Pg no-166)
Major maintenance tasks undertaken in development of a BCP are to:
• Dete i e the ownership and responsibility for maintaining the various BCP strategies
within the enterprise;
• Ide tif the BCP ai te a e t igge s to e su e that a o ga izatio al, ope atio al,
and structural changes are communicated to the personnel who are accountable for
ensuring that the plan remains up-to-date;
• Dete i e the ai te a e egi e to e su e the pla e ai s up-to-date;
• Dete i e the maintenance processes to update the plan; and
• I ple e t version control procedures to ensure that the plan is maintained up-to-
date.
Question 10
Describe contents of a Disaster Recovery and Planning Document.

Taj e o last…
Question 11
Write short notes on the following:
(i)BCP Manual(ISCA class notes Pg no-152)
(ii) BCP Strategy Process(ISCA class notes Pg no-163)
(iii) BCM Testing (ISCA class notes Pg no-165)
(iv) BCM Maintenance (ISCA class notes Pg no-166)
HATKE QUESTIONS
Question 1
While developing a Business Continuity Plan, what are the key tasks that should be
o e ed i the se o d phase Vul e a ility Assessment and General definition of
‘e ui e e t ?(ISCA class notes Pg no-156)
• A thorough Security Assessment of the computing and communications environment

including personnel practices; physical security; operating procedures; backup and
contingency planning; systems development and maintenance; database security; data
and voice communications security; systems and access control software security;
insurance; security planning and administration; application controls; and personal
computers.
• The Security Assessment will enable the project team to improve any existing
emergency plans and disaster prevention measures and to implement required
emergency plans and disaster prevention measures where none exist.
• P ese t fi di gs a d e o e datio s esulti g f o the a ti ities of the “e u it

Assessment to the Steering Committee so that corrective actions can be initiated in a
timely manner.

• Defi e the scope of the planning effort.
• A al ze, e o mend and purchase recovery planning and maintenance software

required to support the development of the plans and to maintain the plans current
following implementation.
• De elop a Plan Framework.
Question 2
Describe the methodology of developing a Business Continuity Plan. Also enumerate its
eight phases.(ISCA class notes Pg no-155)
(i) Providing management with a comprehensive understanding of the total efforts

required to develop and maintain an effective recovery plan;
(ii) Obtaining commitment from appropriate management to support and participate in

the effort;
(iii) Defining recovery requirements from the perspective of business functions;
(iv) Documenting the impact of an extended loss of availability to operations and

key business functions;
(v) Focusing appropriately on disaster prevention and impact minimisation, as well as

orderly recovery;
(vi) Selecting business continuity teams that ensure the proper balance required for plan
development;
(vii) Developing a business continuity plan that is understandable, easy to use and
maintain; and
(viii) Defining how business continuity considerations must be integrated into on-
going business planning and system development processes in order that the plan
remains viable over time.
The eight phases are given as follows:

(i) Pre-Planning Activities (Business Continuity Plan Initiation),
(ii) Vulnerability Assessment and General Definition of Requirements,
(iii) Business Impact Analysis,
(iv) Detailed Definition of Requirements,
(v) Plan Development,
(vi) Testing Program,
(vii) Maintenance Program, and
(viii) Initial Plan Testing and Plan Implementation.
Question 3
A company has decided to outsource its recovery process to a third party site. What are
the issues that should be considered by the security administrators while drafting the
contract? (ISCA class notes Pg no-172)
If a third-party site is to be used for recovery purposes, security administrators must

ensure that a contract is written to cover the following issues:
• How soon the site will be made available subsequent to a disaster;
• The number of organizations that will be allowed to use the site concurrently in the
event of a disaster;
• The priority to be given to concurrent users of the site in the event of a common
disaster;
• The period during which the site can be used;
• The conditions under which the site can be used;
• The facilities and services the site provider agrees to make available;
• Procedures to ensure securit of o pa s data f o ei g a essed/da aged

other users of the facility; and
• What controls will be in place for working at the off-site facility

Question 1
(A) Discuss the objectives of Business Continuity planning.
BCP ko su essful a a e ke li e……
(B) Discuss the objectives of Business Continuity Policy.
‘espo si ilities a e assig ed to o ti ue….
(C)Explain the objectives of performing BCP tests while developing a business continuity
plan. (ISCA class notes Pg no-166)
The objectives of performing BCP tests are:
(i) The recovery procedures are complete and workable.
(ii) The competence of personnel in their performance of recovery procedures can be

evaluated.
(iii) There sources such as business processes, systems, personnel, facilities and data are
obtainable and operational to perform recovery processes.
(iv) The manual recovery procedures and IT backup system/s are current and can either
be operational or restored.
(v) The success or failure of the business continuity training program is monitored.
Question 2
(A) Discuss the types of plans.(ISCA class notes Pg no-168)
1) Emergency plan
2) Back-up plan
3) Recovery plan

4) Test plan
(B) Discuss the types of back-ups.
OR
Discuss the software and data back-up techniques.
1) Full back-up
2) Differential back-up
3) Incremental back-up
4) Mirror back-up
(C) Discuss the alternate processing facility arrangements
1) Cold site
2) Hot site
3) Warm site
4) Reciprocal agreement
Question 3
(A) Write short note on audit of business continuation/disaster recovery plan:
(B) What are the key aspects that should be verified during audit/self-assessment of an
e te p ise BCM p og a hile e ie i g BCM a a ge e ts? (ISCA class notes Pg no-167)
An audit or self-assess e t of the e te p ise s BCM p og a should e if that:
(i) All key products and services and their supporting critical activities and resources
have been identified a d i luded i the e te p ise s BCM strategy;

ii The e te p ise s BCM poli , st ategies, f a e o k a d plans accurately reflect its
priorities and requirements the e te p ise s o je ti es ;
iii The e te p ise BCM competence and its BCM capability are effective and fit-for-
purpose and will permit management, command, control and coordination of an incident;
i The e te p ise s BCM solutions are effective, up-to-date and fit-for-purpose, and
appropriate to the level of risk faced by the enterprise;
The e te p ise s BCM maintenance and exercising programs have been effectively
implemented;
(vi) BCM strategies and plans incorporate improvements identified during incidents and
exercises and in the maintenance program;
(vii) The enterprise has an ongoing program for BCM training and awareness;
(viii) BCM procedures have been effectively communicated to relevant staff, and that
those staff understand their roles and responsibilities.

CHAPTER 5
Acquisition, Development and Implementation of

Information Systems
MAIN QUESTIONS
Question 1
Bring out the reasons as to why organizations fail to achieve their Systems Development
Objectives? (ISCA class notes Pg no-177)
Question 2
Discuss the key characteristics of Waterfall Model in brief. Also explain its major
weaknesses. (ISCA class notes Pg no-181)
Question 3
What is waterfall model of system development? Also discuss its major strengths. (ISCA
Question 4
Briefly explain Prototyping approach.(ISCA class notes Pg no-181)
Question 5
Describe major strengths and weaknesses of Prototyping model.
(ISCA class notes Pg no-182 &183)
Question 6
What is incremental model of system development? Also discuss its major strengths. (ISCA

Question 7
Describe major weaknesses of Incremental model.(ISCA class notes Pg no-182)
Question 8
Explain major strengths and weaknesses of Spiral model.
Question 9
What is Rapid Application Development? Discuss its strengths and weaknesses in

Question 10
What do you understand by agile model of software development? Also explain its major
strengths and weaknesses in brief.(ISCA class notes Pg no-187)
Question 11
Explain the key features of agile model (ISCA class notes Pg no-187)
Question 12
State and briefly explain the stages of System Development Life Cycle (SDLC).
Question 13
What are the possible advantages of SDLC from the perspective of IS Audit?
1) The IS auditor can have clear understanding of various phases of the SDLC on the
basis of the detailed documentation created during each phase of the SDLC.
2) The IS Auditor on the basis of his/her examination, can state in his/her report about
the compliance by the IS management with the procedures, if any, set by
management.

3) If the IS Auditor has technical knowledge and ability to handle different areas of SDLC,
s/he can be a guide during the various phases of SDLC.
4) The IS auditor can provide an evaluation of the methods and techniques used
through the various development phases of the SDLC
Question 14
What are the major aspects that need to be kept in mind while eliciting information to
delineate scope?
• Diffe e t use s a ep ese t the p o le a d e ui ed solutio i diffe e t a s. The

system developer should elicit the need from the initiator of the project (alternately
called champion or executive sponsor of the project). Addressing his concerns should be
the basis of the scope.
• While the i itiato of the project may be a member of the senior management, the
actual users may be from the operating levels in an organization. An understanding of
their profile helps in designing appropriate user interface features.
• While p ese ti g the p oposed solutio fo a p o le , the development organization

has to clearly quantify the economic benefits to the user organization. The
information required has to be gathered at this stage. For example, when a system is
proposed for Road tax collection, data on the extent of collection and defaults is required
to quantify benefits that will result to the Transport Department.
• It is also e essa to understand the impact of the solution on the organization- its
structure, roles and responsibilities. Solutions, which have a wide impact, are likely to be
met with greater resistance. ERP implementation in organizations is a classic example of
change management requirement. Organizations that have not been able to handle it
may have a very poor ERP implementation record with disastrous consequences.
• While e o o i e efit is a iti al consideration when deciding on a solution, there

are several other factors that have to be given weightage too.These factors are to

be considered from the perspective of user management and resolved. For example, in a
security system, how foolproof it is, may be a critical factor.
Question 15
What do you understand by feasibility study? Explain various types of feasibility studies in
detail.(ISCA class notes Pg no-191)
Rakhi ke boy friend
Question 16
Discuss in detail, how the analysis of present system is made by the system analyst? Or A
Company is offering a wide range of products and services to its customers. It relies
heavily on its existing information system to provide up to date information. The
company wishes to enhance its existing system. You being an information system auditor,
suggest how the investigation of the present information system should be conducted so
that it can be further improved upon. (ISCA class notes Pg no-196)
DIDI KE HOME
Question 17
What do ou u de sta d ‘e ui e e t a al sis a d hat a e the ajo o je ti es of

system requirements analysis phase in the SDLC?
 This is very important phase of software development, since any error in this phase
would effect all subsequent phase of development
 During the requirement analysis phase of the traditional approach, the focus is on
determining user needs, studying the application area in depth, assessing the
strengths and weaknesses of the present system and reporting results to
management.
 The aim of the requirement analysis is to thoroughly understand the user require-
ment and remove any inconsistencies and incompleteness in these requirements.

 After the analyst has collected all the required information regarding the system to be
developed, and has removed all the inconsistencies and abnormalities from
specifications then he starts to systematically organize the requirements into SRS
(System Requirement and Specification) document. This SRS is submitted to cus-
tomer for approval and become a contract document for further development
Major objectives of system requirements analysis phase in the SDLC are given as follows:
• To identify and consult stake owners to determine their expectations and resolve their
conflicts;
• To a al ze e ui e e ts to detect and correct conflicts and determine priorities;
• To gathe data o fi d fa ts usi g tools like - interviewing, research/document

collection, questionnaires, observation;
• To e if that the e ui e e ts a e complete, consistent, unambiguous, verifiable,

modifiable, testable and traceable;
•To do u e t a ti ities su h as interview, questionnaires, reports etc. and development

of a system (data) dictionary to document the modeling activities.
Question 18
Describe briefly four categories of major tools that are used for system
development.(ISCA class notes Pg no-199)
Question 19
Discuss major characteristics of a good coded program in brief.
U R RARE
Question 20
Discuss the various methods for validating proposals.

Follo i g a e so e of the o o ethods fo alidati g e do s p oposals.
1. Checking Method
2. Point Scoring Method
3. Evaluating from Public Reports
Be h a ki g p o le fo e do s p oposals
5) Testing Problems
Question 21
What is Unit Testing? Explain five categories of tests that a programmer typically
performs on a program unit. (ISCA class notes Pg no-219)
• Pa allel Tests
Question 22
Explain the following testing techniques:
(i) Black Box Testing
(ii) White Box Testing
(iii) Gray Box Testing
Question 23
(i)Static Testing (ISCA class notes Pg no-220)
(ii)Regression Testing (ISCA class notes Pg no-222)
(iii) System Testing (ISCA class notes Pg no-223)
Question 24
Discuss Final Acceptance Testing in brief.(ISCA class notes Pg no-224)
 It is conducted when the system is just ready for implementation.

 During this testing, it is ensured that the new system satisfies the quality standards
adopted by the business and the system satisfies the users.
 Thus, the final acceptance testing has two major parts:
Question 25
Explain categories of system maintenance in brief.(ISCA class notes Pg no-230)
HATKE QUESTIONS
Question 1
The top management of company has decided to develop a computer information system
for its operations. Is it essential to conduct the feasibility study of system before
implementing it? If answer is yes, state the reasons. Also discuss three different
angles through which feasibility study of the system is to be conducted. (ISCA class notes
Pg no-192)
RAKHI KE BOY FRIEND KO
Question 2
If you are the Project Manager of a Software Company with the responsibility for
developing a break-through product, combining state of the art hardware and software;
will you opt for prototyping as a process model for a product meant for the
intensely competitive entertainment market?
Prototyping as a process model will be inappropriate and hence inadvisable for the
following reasons:
• P otot pi g requires user involvement. Here, users are consumers of the product who
are diffused and may not be inclined to join in.

• Whe et to test the p odu t ith the i ol e e t of usto e s, confidential or
critical information might get leaked to the competitors on our line of thinking. The
element of surprise and also the opportunity to capture the market will be lost.
• Prototyping requires significant time for experimenting. Since the product is meant for
the intensely competitive entertainment market, the project manager may not have that
much time to experiment, and the competitor may capture the market by entering the
market in advance.
Question 1
(A)Explain the factors to be considered while designing the output of the system.(ISCA
FC ROAD PE JAYENGE
(B)Explain the factors to be considered while designing the input of the system.
FC ROAD PE JAYENGE
Question 2
(A) Explain various fact finding techniques used by system analyst for determining the
needs/ requirements of a system to be developed.
DIOQ
(B) Explain two primary methods, which are used for the analysis of the scope of a project
in SDLC (ISCA class notes Pg no-195)
Two primary methods, which are used for the analysis of the scope of a project in SDLC
are given as follows:
1) Reviewing Internal Documents:

 The analysts conducting the investigation first try to learn about the organization
involved in, or affected by, the project.
 For example, to review an inventory system proposal, an analyst may try to know how
the inventory department operates and who are the managers and supervisors.
 Analysts can usually learn these details by examining organization charts and
studying written operating procedures.
2) Conducting Interviews:
 Written documents tell the analyst how the systems should operate, but they may
not include enough details to allow a decision to be made about the merits of a
systems proposal, nor do they present users' views about current operations.
 To learn these details, analysts use interviews. Interviews allow analysts to know
more about the nature of the project request and the reasons for submitting it.
Question 3
(A) Explain different changeover strategies used for conversion from old system to new
system.(ISCA class notes Pg no-226)
Different changeover strategies used for conversion from old system to new system are
given as follows:
• Di e t I ple e tatio / A upt Cha ge-Over
• Phased Changeover
• Pilot Cha geo e
• Pa allel Cha geo e
(B)Discuss briefly, various activities that are involved for successful conversion with
respect to a computerized information system.(ISCA class notes Pg no-227)
Fundamentally these activities can be classified as follows:
• P o edu e o e sio
• File o e sio

• “ ste o e sio
• “ heduli g pe so el a d e uip e t

CHAPTER 6
Auditing of Information Systems
MAIN QUESTIONS
Question 1
What are the factors that influence an organization towards controls and audit of
computers? (ISCA class notes Pg.no-234)
Controls:-
1) Organizational Costs of Data Loss
2) Incorrect Decision Making
3) Value of Computer Hardware, Software and Personnel
4) High Costs of Computer Error
5) Maintenance of Privacy
6) Controlled evolution of computer Use
Question 2
Write short notes on the Basic Plan with reference to IS Audit
(ISCA class notes Pg.no-244)
Question 3
Dis uss the poi ts elati g to Legal Co side atio s a d Audit “ta da ds to e o side ed
by an IS auditor as a part of his/her preliminary review.
Question 4
(i) Snapshots(ISCA class notes Pg.no-249)

(ii) Audit Hooks(ISCA class notes Pg.no-252)
(iii) Source Document Controls (ISCA class notes Pg.no-266)
(iv) Data Coding Controls (ISCA class notes Pg.no-267)
Question 5
What do you understand by SCARF technique? Explain various types of information

collected by using SCARF technique in brief.
Application=s3p3
Question 6
Describe major advantages of continuous audit techniques.
CAT OBJECTIVE
Question 7
Describe major disadvantages and limitations of Continuous Audit techniques.
SADSE
Question 8
Explain three major ways by which audit trails can be used to support security
objectives.(ISCA class notes Pg.no-253)
DRP
Question 9
Discuss two main categories of Data Management Controls in detail.
Data Management Controls fall in the following two main categories:

(i) Access Controls:
(ii) Back-up Controls
Various backup strategies are given as follows:
• Dual e o di g of data
• Pe iodi du pi g of data
• Loggi g i put t a sa tio s
• Loggi g ha ges to the data
Question 10
Write a short note on System Development Controls.
The six activities discussed below deal with system development controls in IT setup.
These are given as follows:
Question 11
Write short note on Data Communication Security with reference to Computer Centre
Security and Controls
Question 12
Write short note on Physical Security with reference to Computer Centre Security and
Controls
Physical
Data and software
communication
Question 13

Write short note on the Internet and Intranet Controls
A) Major Exposures
There are two major exposures in the communication sub-system including Internet and
Intranet, which are given as follows:
1. Component Failure:
2. Subversive Threats:
B) Mechanisms can be used to control risks
Question 14
Explain the role of IS Auditor in Physical / environmental Access Controls.
This involves the following:
1) Risk Assessment:
2) Controls Assessment:
3) Review of Documents.
Question 15
Explain three levels of input validation controls in detail.
1) Field Interrogation:. The following are some common types of field interrogation.
Various field checks used to ensure data integrity have been described below:
2) Record Interrogation: These are discussed as follows:
3)File Interrogation: These are discussed as follows:
Question 16
Discuss major audit issues of operational layer with reference to application security
audit.(ISCA class notes Pg.no-272

Question 17
Discuss major audit issues of Tactical Layer with reference to application security
audit.(ISCA class notes Pg.no-272)
At the tactical layer, security administration is put in place. This includes:
Question 18
Write short note on Strategic Layer with reference to application security audit
HATKE QUESTIONS
Question 1
An important task for the auditor as a part of his/her preliminary evaluation is to gain a
good understanding of the technology environment and related control issues.Explain
major aspects that should be considered in this exercise.
Major aspects to be considered in the aforemention exercise are given as follows:
• Analysis of business processes and level of automation,
• Assessing the extent of dependence of the enterprise on Information Technology to

carry on its businesses i.e. Role of IT in the success and survival of business,
• U de sta di g technology architecture which could be quite diverse such as a

distributed architecture or a centralized architecture or a hybrid architecture,
• “tudyi g et ork diagra s to understand physical and logical network connectivity,
• U de sta di g architecture wherein the organization systems connect seamlessly

with other stakeholders such as vendors (SCM), customers (CRM), employees and the
government,

• Knowledge of various technologies and their advantages and limitations is a
critical competence requirement for the auditor. For example, authentication risks
relating to e- mail systems, and
• Fi all , Studying Information Technology
Question 2
What are the key steps that can be followed for a risk-based approach to make an audit
plan? Explain in brief.
• Inventory the information systems in use in the organization and categorize them.
• Dete i e hi h of the systems impact critical functions or assets, such as

money, materials, customers, decision making, and how close to real time they operate.
• Assess what risks affect these systems and the likelihood and severity of the impact on
the business.
• Based on the above assessment, decide the audit priority, resources, schedule
and frequency.
Question 3
Explain major risks relating to personal computers. Also explain the security measures
that could be exercised to overcome those risks.
Question 4
What are the major aspects that should be thoroughly examined by an IS Auditor during
the audit of Environmental Controls? Explain in brief.

Question 1
(A)Discuss the issues relating to the performance of evidence collection
Dosa Idli
(B)Discuss the issues relating to the performance of evidence collection
1) System generated transactions
2) Automated transaction processing
3) Systemic error
Question 2
(A)Explain the skills of IS Auditor.
1) Business operations and practices
2) Professional technical qualification
3) Risks and controls
4) IT strategies, policy and procedure controls
5) Technical and manual controls
6) Professional Standards and best practices
(B) Explain the functions of IS Auditor.
1) Inadequate information security
2) Inefficient use of resources
3) Ineffective IT strategies, policies and practices

4) IT-related frauds
c) Explain major types/categories of IS Audits in brief.
(ISCA class notes Pg.no-239
Major types of IS Audits are given as follows:
(i) Systems and Application
(ii) Information Processing Facilities
(iii) Systems Development
(iv) Management of IT and Enterprise Architecture
(v) Telecommunications, Intranets, and Extranets
d) Explain major stages/steps of IS Audits in brief.
(i) Scoping and pre-audit survey
(ii) Planning and preparation
(iii) Fieldwork
(iv) Analysis
(v) Reporting
(vi) Closure
Question 3
(A) Discuss processing controls with reference to Application Controls in brief.
1) Run-to-run totals
2) Reasonableness verification
3) Edit checks
4) Field initialization
5) Exception reports

(B) Discuss output controls with reference to Application Controls in brief.
1) Storage and logging of sensitive, critical forms
2) Logging of output program executions
3) Spooling/Queuing
4) Controls over printing
5) Report distribution and collection controls
6) Retention controls
Question no 4
a) Describe major tasks performed by an Operating System in brief.
b) Write a short note on Operating System Security.
The following security components are found in secure operating system:

CHAPTER 7
Information Technology Regulatory Issues
MAIN QUESTIONS
Question 1
Explain the objectives of the Information Technology Act 2000.
Lajawab, Sunder,Susheel......
Question 2
Define the following terms with reference to Information Technology Act 2000: (i) Digital
signature(ISCA class notes Pg.no-278)
(ii) Electronic form(ISCA class notes Pg.no-278)
(iii) Key Pair(ISCA class notes Pg.no-279)
(iv) Asymmetric Crypto System(ISCA class notes Pg.no-277)
(i) Digital Signature: It means authentication of any electronic record by a subscriber by

means of an electronic method or procedure in accordance with the provisions of
section3.
(ii) Electronic form: With reference to information, it means any information generated,
sent, received or stored in media, magnetic, optical, computer memory, microfilm,
computer generated micro fiche or similar device.
(iii) Key Pair: In an asymmetric cryptosystem, it means a private key and its
mathematically related public key, which are so related that the public key can verify a
digital signature created by the private key.

(iv) Asymmetric Crypto System: It is a system of secure key pair consisting of a private key
for creating a digital signature and a public key to verify the digital signature.
Question 3
Write short notes on the following: (ISCA class notes Pg.no-282)
i) [Section 4] Legal Recognition of Electronic Records
(ii) [Section 5] egal Recognition of Electronic Signature
Question 4
Dis uss the Use of Ele t o i ‘e o ds i Go e e t a d its age ies i the light of
Section6 of Information Technology Act 2000.
Question 5
Des i e the Po e to ake ules Ce t al Go e e t i espe t of Electronic

“ig atu e i the light of “e tio of I fo atio Te h olog A t .(ISCA class notes
Pg.no-284)
Question 6
Des i e the Ta pe i g ith Co pute “ou e Do u e ts i the light of “e tio

of Information Technology Act 2000.(ISCA class notes Pg.no-286)
Question 7
Dis uss Pu ish e t fo se di g offe si e essages th ough o u i atio se i e et .

in the light of Section 66A of Information Technology Act 2000.
Question 8
Dis uss Po e of Co t olle to gi e di e tio s u de “e tio of I fo atio

TechnologyAct 2000.(ISCA class notes Pg.no-291)

Question 9
Dis uss Po e to issue di e tio s fo i te eptio o o ito i g o de ptio of

a i fo atio i a o pute esou e u de “e tion 69 of Information Technology
Act 2000.(ISCA class notes Pg.no-291)
Section 69 gives powers to Central & State Governments to issue directions empowering
a Government agency to intercept, monitor or decrypt any information through or
in any computer if it is for important purposes as specified in the section. These include:
(1) the interest of the sovereignty or integrity of India, defense of India, security of the
State, friendly relations with foreign States or public order or for preventing incitement
to the commission of any cognizable offence relating to above or for investigation
of any offence,
The reasons should be recorded in writing,
(2) The Procedure and safeguards over such interception or monitoring or decryption,
shall be prescribed.
(3) The subscriber or intermediary or any person in charge of the computer resource
shall, when called upon by the agency, extend all facilities and technical assistance
Question 10
Dis uss Pe alt fo pu lishi g Ele t o i “ig atu e Ce tificate false in certain
pa ti ula s u de “e tio of I fo atio Te h olog A t .
Question 11
E plai the ke a ti ities falli g i the Do Phase of I fo atio “e u it Ma age e t

System(ISMS).(ISCA class notes Pg.no-308)
Question 12

Briefly explain the following with respect to the Information Technology Act 2000: (ISCA
class notes Pg.no-287 & 288)
(i) [Section 66B] Punishment for dishonestly receiving stolen computer resource
or communication device
(ii) [Section 66C] Punishment for identity theft
(iii) [Section 66D] Punishment for cheating by personation by using computer resource
(iv) [Section 66E] Punishment for violation of privacy
(v) [Section 66F] Punishment for cyber terrorism
Question 13
Explai the Po e to issue di e tio s fo lo ki g pu li a ess of a i fo atio

th ough a o pute esou e u de “e tio A of the I fo atio Te h olog A t
2000.(ISCA class notes Pg.no-291)
• To block the access by the public or cause to be blocked for access by public any
information generated, transmitted, re ceived, stored or hosted in any computer
resource. site in the interest of sovereignty and integrity of India, defense of India,
security of the State, friendly relations with foreign states.
• Procedure should be as may be prescribed
• Subscriber should assist authorized person, if fails subscriber will be liable for
punishment
Question 14
E plai the Po e to autho ize to o ito a d olle t t affi data o i fo atio th ough
any computer esou e fo C e “e u it ith efe e e to “e tio B of the
Information Technology Act 2000.

Power to authorize to monitor and collect traffic data or information through any
computer resource for Cyber Security-
(1) Monitor and collect traffic data or information generated, transmitted, received or
stored in any computer resource.
(2) Procedure should be as may be prescribed.
(3) Subscriber should assist authorized person, if fails subscriber will be liable for
punishment.
Question 15
Briefly explain requirements of IRDA for System Controls & Audit.

(ISCA class notes Pg.no-298) -Whole answer
Question 16
Briefly explain requirements of RBI for System Controls & Audit.

(ISCA class notes Pg.no-299)- Whole answer
Question 17
Briefly explain requirements of SEBI for System Controls & Audit.

(ISCA class notes Pg.no-302) -Whole answer
Question 18
Briefly explain Auditor Selection Norms with reference to the requirements

of SEBI for System Controls & Audit.
Question 19
Write a short note on ISO27001.

Question 20

Write a short note on ITIL.
Question 21
Write a short note on Cyber Forensic and Cyber Fraud Investigation.

HATKE QUESTIONS
Question 1
Discuss the main provisions provided in Information Technology Act 2000 to facilitate e-
Governance.(ISCA class notes Pg.no-283 &284)
E-Governance sections of chapter III 6, 7 and 8 are the main sections for provisions
related to e-Governance provided in Information Technology Act 2000 to facilitate e-
governance.
Question 2
What is the vision of National Cyber Security Policy 2013? Also explain its major
objectives (ISCA class notes Pg.no-305)
Vision of the National Cyber Security Policy 2013 is: To uild a se ure a d
resilie t y erspa e for itize s, usi ess a d Go er e t a d the issio To protect
information and information infrastructure in cyberspace, build capabilities to prevent
and respond to cyber threats, reduce vulnerabilities and minimize damage from
cyber incidents through a combination of institutional structures, people processes,
te h ology a d ooperatio .
Major objectives of this policy are given as follows:

• To create a secure cyber ecosystem in the country, generate adequate trust &
confidence in IT systems and transactions in cyberspace and thereby enhance adoption of
IT in all sectors of the economy;
• To create an assurance framework for design of security policies and for promotion
and enabling actions for compliance to global security standards and best practices by
way of conformity assessment (product, process, technology, & people);
• To stre gthe the ‘egulatory fra e ork for ensuring a Secure Cyberspace ecosystem;
• To enhance and create National and Sectorial level 24*7 mechanisms for
obtaining strategic information regarding threats
• To e ha e the prote tio a d resilie e of Natio s riti al i for atio

infrastructure by operating a 24*7 National Critical Information Infrastructure
Protection Center(NCIIPC) and mandating security practices related to the design,
acquisition, development and operation of information resources;
• To de elop suita le i dige ous se u ity technologies through frontier technology

research, solution oriented research, proof of concept, and pilot development of secure
ICT products/processes in general and specifically for addressing National Security
requirements;
• To improve visibility of the integrity of ICT products & services and establishing
infrastructure for testing & validation of security of such products;
• To create a workforce of 500,000 professionals skilled in cyber security in the next 5

years through capacity building, skill development and training;
• To provide fiscal benefits to businesses for adoption of standard security practices and
processes;
• To enable protection of information while in process, handling, storage & transit so as

to Safeguard privac of itize s data a d fo edu i g e o o i losses due to e i e
or data theft;

• To enable effective prevention, investigation and prosecution of cybercrime and
enhancements of law enforcement capabilities through appropriate
legislativeintervention;
• To create a culture of cyber security and privacy enabling responsible user behavior
&actions through an effective communication and promotion strategy;
• To develop effective public private partnerships and collaborative engagements

through technical and operational collaboration and contribution for enhancing the
security of cyberspace and
• To e ha e glo al ooperatio y pro oti g shared u dersta di g and

leveraging relationships for furthering the cause of security of cyberspace.
Question 1
(A)Briefly discuss the four phases of ISMS. (ISCA class notes Pg.no-308)
1) Plan Phase
2) Do Phase
3) Check Phase
4) Act Phase
(B) Briefly discuss the volumes of ITIL framework.

1) Service Strategy
2) Service Design
3) Service Transition
4) Service Operations
5) Continual Service Improvement
Question 2

(A)E plai Authe ti atio of Ele t o i ‘e o ds ith efe e e to “e tio of
InformationTechnology Act 2000 or How does the Information Technology Act 2000
enable the authentication of records using digital signatures?
[Section 3]: Authentication of Electronic Records:
(1) Subject to the provisions of this section any subscriber may authenticate an electronic
record by affixing his Digital Signature.
(2) The authentication of the electronic record shall be effected by the use of asymmetric
crypto system and hash function which envelop and transform the initial electronic
record into another electronic record.
Explanation -
For the purposes of this sub-section, "Hash function" means an algorithm mapping or
translation of one sequence of bits into another, generally smaller, set known as "Hash
Result" such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it
computationally infeasible
(a) to derive or reconstruct the original electronic record from the hash result produced
by the algorithm;
(b) that two electronic records can produce the same hash result using the algorithm. (3)
Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute
afunctioning key pair.
(B)What a e the ajo p o isio s o ‘ete tio of Ele t o i ‘e o ds ith efe e e to

Information Technology Act 2000? Explain in brief.

CHAPTER 8
Emerging Technologies
MAIN QUESTIONS
Question 1
Discuss the major goals of Cloud Computing in brief.
Question 2
(i) Hybrid Cloud(ISCA class notes Pg no-321)
(ii) Mobile Computing(ISCA class notes Pg no-328)
(iii) BYOD (ISCA class notes Pg no-329)
(iv) Web 2.0 (ISCA class notes Pg no-333)
(v)Green IT (ISCA class notes Pg no-338)
Question 3
Briefly discuss the threats of BYOD
INDIA
Question 4
Discuss the Benefits for Social Networks using Web 2.0.

ABC Social Platform

Question 5
Explain Mobile Computing and BYOD with an example.
HATKE QUESTIONS
Question 1
The o k ha its of o pute use s a d businesses can be modified to minimize adverse

i pa t o the glo al e i o e t . Dis uss so e of su h steps, hi h a e follo ed fo
Green IT.(ISCA class notes Pg no-339)
Question 2
What is Cloud Computing? Explain some pertinent similarities and differences between
Cloud and Grid computing. (ISCA class notes Pg.no-314 &316)
Some pertinent similarities and differences between cloud and grid computing are
highlighted as follows:
• Cloud computing and grid computing both are scalable. Scalability is accomplished
through load balancing of application instances running separately on a variety of
operating systems and connected through Web services. CPU and network bandwidth is
allocated and de-allocated on demand. The system's storage capacity goes up and down
depending on the number of users, instances, and the amount of data transferred at a
given time.
• Both o puti g t pes i ol e ulti-tenancy and multitasking, meaning that many

customers can perform different tasks, accessing a single or multiple application
instances. Sharing resources among a large pool of users assists in reducing
infrastructure costs and peak load capacity. Cloud and grid computing provide Service-
Level Agreements (SLAs) for guaranteed uptime availability of, say, 99 percent. If the

service slides below the level of the guaranteed uptime service, the consumer will get
service credit for not receiving data within stipulated time.
• While the sto age o puti g i the g id is ell suited fo data-intensive storage, it is not
economically suited for storing objects as small as 1 byte. In a data grid, the amounts of
distributed data must be large for maximum benefit. While in cloud computing, we can
store an object as low as 1 byte and as large as 5 GB or even several terabytes.
• A o putatio al g id fo uses o o putatio all i te si e ope atio s, hile loud

computing offers two types of instances: standard and high-CPU.
Question 3
What is Green Computing? Discuss security issues of Green computing in brief.(ISCA class
notes Pg no-340)
Security issues of Green computing:
 If administered properly with other green computing technologies, green security can
be a cost-efficient
 The basic aimis to i ease the usto e s e e g sa i gs th ough g ee se u it
services and assess that how sustainable computing technology can immediately help
the e i o e t.
 Green IT services present many benefits for clients as well as providers, but knowing
ho to e aluate a lie t s i f ast u tu e to a o odate g ee te h olog is eall a
ital issue .
 Moreover, apart from the common security issues, the green security emphasizes the
role of security tools, methods and practices that edu e a o pa se io e tal
impact.

Question 1
(A) Discuss the different types of cloud computing architecture

1) Front end
2) Back end
(B) Discuss the different types of cloud.

1) Public
2) Private
3) Hybrid
(C) Discuss the different types of cloud computing models.

1) IaaS
2) PaaS
3) SaaS
4) NaaS
5) CaaS
Question 2
(A) Explain, in brief, the characteristics of Cloud Computing.
ISCA class notes Pg no-323)
Very popular (ASM)2
(B) Explain, in brief, the advantages of Cloud Computing.
AB QU CA

Question 3
(A) Explain, in brief, the challenges of Cloud Computing.
1) Confidentiality
2) Integrity
3) Availability
4) Governance
5) Trust
6) Legal issues and Compliance
7) Privacy
8) Audit
9) Data Stealing
10) Architecture
11) Identity Management and Access Control
12) Incident Response
13) Software Isolation
14) Application Security
(B) Explain, in brief, the challenges for Social Networks using Web 2.0.
1) Data Security and Privacy
2) Malicious users
3) Education and Advertising
4) Amenities
(C) Explain, in brief, the challenges of Green IT.

1) Cost
2) Impact
3) Standard
4) Security

SECTION 2 - QUESTIONS BASED ON CASE
STUDIES
Question 1
ASK International proposes to launch a new subsidiary to provide e-consultancy services

for organizations throughout the world, to assist them in system development, strategic
planning and e-governance areas. The fundamental guidelines, programme modules and
draft agreements are all preserved and administered in e-form only. The company
intends to utilize the services of a professional analyst to conduct a preliminary
investigation and present a report on smooth implementation of the ideas of the new
subsidiary. Based on the report submitted by the analyst, the company decides to
proceed further with three specific objectives (i) reduce operational risk, (ii) increase
business efficiency and (iii) ensure that information security is being rationally applied.
The company has been advised to adopt ISO 27001 for achieving the same.
(a) What are the two primary methods through which the analyst would have collected
the data ?
(b) To retain their e-documents for specified period, what are the conditions laid down in
Section 7, Chapter III of Information Technology Act, 2000?
Answer
(a) Two primary methods through which the analyst would have collected the data are
given as follows:
(i) Reviewing Internal Documents: The analyst first tries to learn about the organization
i ol ed i o affe ted the p oje t. Fo e a ple, the su sidia s a ti ities ased o its

business and operation plans. S/he will also examine proposed organization charts and
functions of positions mentioned in it.
(ii) Conducting Intervie s: W itte do u e ts tell the a al st ho the s ste should

ope ate ut the a ot i lude e ough details to allo a de isio to e ade a out
the e its of a s ste p oposal o do the p ese t use s ie s a out u e t
operations. To learn these details, analysts use interviews. Preliminary investigation
interviews involve only management and supervisory personnel. The analyst may conduct
interviews with persons who are scheduled to occupy various positions in the subsidiary.
(b) Section 7, Chapter III of Information Technology Act, 2000 provides that the
documents, records or information which is to be retained for any specified period shall
be deemed to have been retained if the same is retained in the electronic form provided
the following conditions are satisfied:
(1) Where any law provides that documents, records or information shall be retained for
any specific period, then, that requirement shall be deemed to have been satisfied if such
documents, records or information are retained in the electronic form, –
(a) the information contained therein remains accessible so as to be usable for a
subsequent reference;
b) the electronic record is retained in the format in which it was originally
generated, sent or received or in a format, which can be demonstrated to
represent accurately the information originally generated, sent or received;
(c) The details, which wil facilitate the identification of the origin, destination, date
and time of dispatch or receipt of such electronic record are available in the

electronic record.
E.g. Company may include clause in its contracts with customers that electronic
documents and correspondence will be considered valid; Electronic documents will have
to be preserved till the contract and all liabilities are discharged; Documents may be
digitally signed with hash values to assure that they have not been altered; All
correspondence with clients may be saved with dates of transmission / receipt; In case
the company changes / upgrades its email or other systems, the new system should be
able to read the old data and retain all data without change etc.
Question 2
ABC Industries Ltd., a company engaged in a business of manufacture and supply of

automobile components to various automobile companies in India, had been developing
and adopting office automation systems, at random and in isolated pockets of its
departments. The company has recently obtained three major supply contracts from
International Automobile companies and the top management has felt that the time is
appropriate for them to convert its existing information system into a new one and to
integrate all its office activities. One of the main objectives of taking this exercise is to
maintain continuity of business plans even while continuing the progress towards e-
governance.
(a) What are the types of operations into which the different office activities can be
broadly grouped under office automation systems?
(b) What is meant by Business Continuity Planning? Explain the areas covered by Business
Continuity.
Answer
(a) Types of Operations:

The types of operations into which different office activities under Office Automation
Systems can be broadly grouped, are discussed as under:
(i) Document Capture: Documents originating from outside sources like incoming
mails from customers, enquiries, notes, handouts, charts, graphs etc. need to be
preserved for being tracked through their life.
(ii) Document Creation: This consists of preparation of documents, editing of texts etc.
and takes up major part of the time of field personnel like salesmen.
(iii) Receipts and Distribution: This basically includes distribution of correspondence to

designated recipients. This may be effectively achieved by use of emails and mail groups.
(iv) Filling, Search, Retrieval and Follow-up: This is related to filling, indexing, searching of
documents, which takes up significant time. E.g. categorizing various types of documents
and cataloguing all documents under each type, assigning rights for access, retrieval
(v) Calculations: These include the usual calculator functions like routine arithmetic,
operations for bill passing, interest calculations, working out the percentages and the like.
(vi) Recording Utilization of Resources: This includes, where necessary, record
keeping in respect of specific resources utilized by office personnel. All the activities
mentioned have been made very simple and effective by the use of computers. The
application of computers to handle the office activities is also termed as office
automation. Care should be taken to convert old documents which have not been created
in or stored in computers into usable electronic documents so that after the new system
is implemented, these old documents will still be accessible and business can continue as
usual. Office automation systems which are already in use by some departments must be
integrated with the new systems. For e-governance, the company must put in place a
definition of road map of how the systems will be implemented, monitored, measured

and corrective action taken when deficiencies / opportunities for improvement are
noticed. This will include assigning responsibilities to various personnel using or affected
by office automation.
(b) Business Continuity Planning (BCP) is the creation and validation of a practical
logistical plan for how an organization will recover and restore partially or completely
interrupted critical functions within a predetermined time after a disaster or extended
disruption. The logistical plan is called a Business Continuity Plan. It is especially
important because the company is planning to embrace office automation in all aspects
of business. This will make it highly dependent on computer systems to run operations,
deal with customers, suppliers and other stakeholders etc. Planning is an activity to be
performed before the disaster occurs otherwise it would be too late to plan an effective
response. The resulting outage from such a disaster can have serious effects on the
viability of a firm's operations, profitability, quality of service, and convenience.
Business Continuity covers the following areas:
(i) Business Resumption Planning – The Operational piece of business continuity planning
to resume normal operations after a disaster.
(ii) Disaster Recovery Planning – The technological aspect of BCP, the advance planning
and preparation necessary to minimize losses and ensure continuity of critical business
functions of the organization in the event of a disaster. Planning which are minimal level
of operations which must be run, their priority and the sequence in which they need to be
brought up as well as taking steps to be prepared to deal with any emergency.
(iii) Crisis Management – The overall co-o di atio of a o ga izatio s espo se to a

crisis in an effective timely manner, with the goal of avoiding or minimizing damage to the
o ga izatio s p ofita ilit , eputatio o a ilit to ope ate. E.g. ho to u ope atio s
and service customers when computer systems, are not available. The major international

companies who have given orders to the company will expect this level of preparedness
from the company.
Question 3
XYZ Industries Ltd., a company engaged in a business of manufacturing and supply of

electronic equipments to various companies in India. It intends to implement E-
Governance system at all of its departments. A system analyst is engaged to conduct
requireme t a al sis a d i estigatio of the p ese t s ste . The o pa s e
business models and new methods presume that the information required by the
business managers is available all the time; it is accurate and reliable. The company is
relying on Information Technology for information and transaction processing. It is also
presumed that the company is up and running all the time on 24 x 7 basis. Hence, the
company has decided to implement a real time ERP package, which equips the enterprise
with necessary capabilities to integrate and synchronize the isolated functions into
streamlined business processes in order to gain a competitive edge in the volatile
business environment. Also, the company intends to keep all the records in digitized
form.
(a) What do you mean by system requirement analysis? What are the activities to be
performed during system requirement analysis phase?
(b) What is the provision given in Information Technology Act 2000 for the retention of
electronic records?
Answer
(a) System requirements analysis is a phase, which includes a thorough and detailed

understanding of the current system, identification of the areas that need modification/s
to solve the problem, the determination of user/ managerial requirements and to have
fair ideas about various system development tools.
The following activities are performed in this phase:
♦ To identify and consult the stake owners to determine their expectations and resolve
their conflicts e.g. what facilities the business owners require to gain competitive
advantage; whether for meeting 24x7 requirements documents should be accessible over
internet, whether customers and suppliers will also connect to the system;
♦ To analyze requirements to detect and correct conflicts and determine priorities; this
will include identifying the various documents which will need to be migrated to the new
system. In case the existing systems process transactions in a way different from the new
ERP, these differences must be resolved
♦ To verify requirements in terms of various parameters like completeness, consistency,

unambiguous, verifiable, modifiable, testable and traceable;
♦ To gather data or find facts using tools like- interviewing, research/document collection,
questionnaires, observation;
♦ To develop models to document Data Flow Diagrams, E-R diagrams; and
♦ To develop a system dictionary to document the modeling activities.
♦ The document/deliverable of this phase is a detailed system requirements report, which

is generally termed as SRS.
(b) Retention of Electronic Records: [Section 7] of Information Technology Act 2000: The
provision for the retention of electronic records is discussed in Section 7 of IT Act 2000,
which is given as follows:

(1) Where any law provides that documents, records or information shall be retained for
any specific period, then, that requirement shall be deemed to have been satisfied if such
documents, records or information are retained in the electronic form, –
(a) the information contained therein remains accessible so as to be usable for a
subsequent reference;
(b) the electronic record is retained in the format in which it was originally
generated, sent or received or in a format, which can be demonstrated to
represent accurately the information originally generated, sent or received;
(c) The details, which wil facilitate the identification of the origin, destination, date
and time of dispatch or receipt of such electronic record are available in the
electronic record.
E.g. Company may include clause in its contracts with customers that electronic
documents and correspondence will be considered valid; Electronic documents will have
to be preserved till the contract and all liabilities are discharged; Documents may be
digitally signed with hash values to assure that they have not been altered; All
correspondence with clients may be saved with dates of transmission / receipt; In case
the company changes / upgrades its email or other systems, the new system should be
able to read the old data and retain all data without change etc.
Question 4
ABC Technologies Ltd. deals with the software developments for various domains. The
company is following SDLC best practices for its different activities. For any software to be
developed, after possible solutions are identified, project feasibility i.e. the likelihood that
the system will be useful for the organization, is determined. After this, other stages of

the SDLC are followed with their best practices. A system development methodology is a
formalized, standardized, documented set of activities used to manage a system
development project. It refers to the framework that is used to structure, plan and
control the process of developing an information system. Each of the available
methodologies is best suited to specific kinds of projects, based on various technical,
organizational, project and team considerations.
Read the above carefully and answer the following:
(a) What is a feasibility study? Explain the dimensions under which the feasibility study of
a system is evaluated.
(b) For the development of software, various techniques/models are used e.g. waterfall,
incremental, spiral etc; in which, each has some strengths and some weaknesses.
Discuss the weaknesses of the incremental model.
Answer
(a) A feasibility study is carried out by system analysts, which refers to a process of
evaluating alternative systems through cost/benefit analysis so that the most feasible and
desirable system can be selected for development. The Feasibility Study of a system is
evaluated under following dimensions:
♦ Technical: Is the technology needed available?
♦ Financial: Is the solution financial y viable?
♦ Economic: What is the Return on Investment?
♦ Schedule/Time: Can the system be delivered on time?
♦ Resources: Are human resources available to develop the solution or are they reluctant
to use it ?

♦ Operational: How will the solution work?
♦ Behavioral: Is the solution going to bring any positive or adverse effect on quality of
work life?
♦ Legal: Is the solution valid in legal terms?
(b) Major weaknesses of the incremental model are given as follows:
♦ When utilizing a series of mini-waterfalls for a small part of the system before moving
onto the next increment, there is usually a lack of overall consideration of the business
problem and technical requirements for the overall system.
♦ Each phase of iteration is rigid and does not overlap each other.
♦ Problems may arise pertaining to system architecture because not all requirements are
gathered up front for the entire software life cycle.
♦ Since some modules will be completed much earlier than others, hence well-defined
interfaces are required.
♦ Difficult problems tend to be pushed to the future to demonstrate early success to

management.

SECTION 3 – TEST PAPERS
Test -1 – Swapnil Pat i s Classes
All chapters
First question compulsory
Solve 5 from remaining 6

Marks
Q.no 1.
XYZ Limited is a multinational company engaged in providing financial services worldwide.

Most of the transactions are done online. Their current system is unable to cope up with
the growing volume of transactions. Frequent connectivity problems, slow processing and
a few instances of phishing attacks were also reported. Hence the company has decided
to develop a more robust in-house software for providing good governance and efficient
use of computer and IT resources. You being an IS auditor, has been appointed by the
Company to advise them on various aspects of project development and implementation.
They want the highest levels of controls in place to maintain data integrity and security
with zero tolerance to errors.
The company sought your advise on the following issues:
a)What are the major data integrity policies you would suggest ? (5)
b) What are the categories of tests that a programmer typically performs on a (5)
program unit ?
c) Discuss some of the crucial controls required in a computerized environment. (5)

d) What are your recommendations for efficient use of computer and IT resources
to a hie e the o je ti es of G ee Co puti g ? (5)
Q.no. 2
a) ABC Ltd. is a security market intermediary, providing depository services. (6)
Briefly explain the relevant requirements with respect to annual systems audit
mandated by SEBI in this regard.
b) Discuss some of the pertinent objectives in order to achieve the goals of (6)
Cloud Computing.
c) As an IS auditor, what are the risks reviewed by you relating to IT systems (4)
and processes as part of your functions ?
Q.no. 3
a) Modern business uses Information Technology to carry out basic (6)
functions including systems for sales, advertisement, purchase, management
reports etc. Briefly discuss some of the IT tools crucial for business growth.
M . X has ope ed a e depa t e tal sto e and all activities are (6)
computerized. He uses Personal Computers (PCs) for carrying out the business
activities. As an IS auditor, lists the risks related to the use of PCs in the business
ofM . X a d suggest a t o se u it easu es to e e e ised to overcome
them.

c) What do you understand by IT Governance? Write any three benefits of IT (4)
Governance.
Q. no. 4
a) As an IS auditor, what are the output controls required to be reviewed (6)
with respect to application controls?
b) You are appointed by a leading enterprise to assess and to evaluate its (6)
system of IT internal controls. What are the key management practices to
be followed to carry out the assignment complying with COBIT 5?
c) Discuss briefly, the four phases of Information Security Management (4)
System (ISMS) prescribed by ISO 27001.
Q.no.5
a) While doing audit or self assessment of the BCM Program of an (6)
enterprise, briefly describe the matters to be verified.
b) What do you mean by Expert System? Briefly explain some of the (6)
properties that potential applications should possess to qualify for an expert
system development.
c) What are the repercussions of cyber frauds on an enterprise? (4)

Q. no. 6
a) Compared to traditional audit, evidence collection has become more (6)
challenging with the use of computers to the auditors. What are the issues which
affect evidence collection and understanding the reliability of controls in financial
audit?
b) Define the Agile model of software development and discuss its strengths. (6)
c) Explain the objectives of Business Continuity Management Policy briefly. (4)
Q.no.7
Write short notes on any four of the following: (4*4=16)
a) Operating System Security
b) Internal Controls as per COSO
c) Risk, Vulnerability, Threat
d) Types of Backups
e) Design of database

All chapters

Marks
Q.no 1.
PQR University is a public university; especially known for its Faculty of Commerce and
Management in the country. The faculty offers various UG and PG programs along with
research studies viz. M. Phil and Ph.D. Recently, the Academic Council of the university
approved the proposal of the faculty to start some UG and PG courses in distance
learning mode too. It is observed that the students of distance education are normally
dependent on self-study only along with a little support from the concerned
department/s. In view of this aforementioned fact, the concerned Dean of the faculty
decided to launch a web based Knowledge Portal to facilitate the students of different
courses. It is proposed to upload the Study Materials, e-lectures, Suggested Answers of
last examinations, Mock Test Papers relevant for the coming examinations etc. of the
approved courses on this Knowledge Portal. It is expected that the portal will be very
useful for the students as it aims to provide the access of various academic resources on
anytime anywhere basis. For the implementation of this project, a technical consultant
was appointed by the university. Accordingly, an initial feasibility study under various
dimensions was done and a detailed report was submitted. As a next step, as per the
recommendations of the consultant, an expression of interest was published by the
University in various national/regional newspapers inviting various organizations to
showcase their capabilities and suggest a good solution as per the requirements of the
concerned faculty of the university.

(a) What are three major attributes of information security? Out of these (5)
attributes, which attribute will be having the highest priority while developing
web based knowledge portal?
(b) What may be the possible dimensions under which the feasibility study (5)
of the proposed Knowledge Portal was done in your opinion?
What a e the ajo alidatio ethods fo alidati g the e do s (5)
proposal for developing the Knowledge Portal?
(d) What are the two primary methods through which the analyst would (5)
have collected the data ?
Q.no. 2
a) What are the factors that influence an organization towards controls (6)
of computers?
b) Briefly explain various risk management strategies.

(6)
c) Discuss the main provisions provided in Information Technology
Act 2000 to facilitate e- Governance. (4)
Q.no. 3
a) Explain in brief the components of BCM process. (6)
b) Discuss major characteristics of an effective MIS. (6)

c) Explain different classifications of information. (4)
Q. no. 4
a)Briefly explain requirements of IRDA for System Controls & Audit. (6)
b)Explain, in brief, the characteristics of Cloud Computing. (6)
c) Explain the set of skills that is generally expected of an IS auditor. (4)
Q.no.5
a The e is a p a ti al set of p i iples to guide the desig of (6)
easu es a d i di ato s to e i luded i a EI“ . E plai those
principles in brief.
b) Write short note on Physical Security with reference to Computer (6)
Centre Security and Controls.
c) Describe the major benefits achieved through proper (4)
governance in an organization.
Q. no. 6
a) Explain major stages/steps of IS Audits in brief. (6)
b) What is incremental model of system development? Also (6)
discuss its major strengths.
c) Discuss the objectives of Business Continuity planning. (4)

Q.no.7
a) Functions of IS Auditor
b) Role of IT in enterprises
c) Audit Hook
d) Alternate Processing Facility Arrangements
e) Unit Testing

All chapters

Marks
Q.no 1.
ABC Technologies Ltd. is in the development of web applications for various domains. For
the development purposes, the company is committed to follow the best practices
suggested by SDLC. A system development methodology is a formalized, standardized,
documented set of activities used to manage a system development project. It refers to
the framework that is used to structure, plan and control the process of developing an
information system. Each of the available methodologies is best suited to specific kinds of
projects, based on various technical, organizational, project and team considerations.
a Des i e a ou ta ts i ol e e t i de elop e t o k i ief. (5)
Wate fall app oa h is o e of the popula app oa hes fo s ste (5)
de elop e t . E plai the asi p i iples of this app oa h.
(c) Briefly describe major characteristics of Agile Methodology. (5)
(d) What do you mean by system requirement analysis? What are the activities (5)
to be performed during system requirement analysis phase?
Q.no. 2

a) Briefly explain requirements of RBI for System Audit. (6)
b) Briefly discuss the advantages of Cloud Computing. (6)
c) Write a short note on Integrating COBIT 5 with other frameworks. (4)
Q.no. 3
a) What is Information? Briefly discuss some of its attributes. (6)
b) What do you understand by SCARF technique? Explain various types (6)
of information collected by using SCARF technique in brief.
c) What do you understand by GEIT? Also explain any three benefits of GEIT. (4)
Q. no. 4
a)Discuss two main categories of Data Management Controls in detail. (6)
b)Discuss the key management practices, which are required for aligning IT (6)
strategy with enterprise strategy.
c) Briefly discuss the volumes of ITIL framework. (4)
Q.no.5
a) Describe the methodology of developing a Business Continuity Plan. (6)
b)What is EIS? Explain major characteristics of an EIS. (6)
c)Write short note on Compensatory Controls. (4)

Q. no. 6
a) Describe major advantages and disadvantages of continuous (6)
audit techniques.
b) What is waterfall model of system development? Also discuss its major (6)
strengths.
c)Explain the objectives of performing BCP tests while developing (4)
a business continuity plan.
Q.no.7
a) Processing Controls
b) Five Principles of COBIT 5.
c) Threats of BYOD
d) Types of Plans
e) Data Dictionary

All chapters

Marks
Q.no 1.
ABC Group of Industries is in the process of launching a new business unit, ABC
Consultants Ltd. to provide various consultancy services to the organizations worldwide,
to assist them in the computerization of their business modules. It involves a number of
activities starting from capturing of requirements to maintenance. Business continuity
and disaster recovery planning are two key activities in this entire process, which must be
taken care of right from the beginning. Business continuity focuses on maintaining the
operations of an organization, especially the IT infrastructure in face of a threat that has
materialized. Disaster recovery, on the other hand, arises mostly when business
continuity plan fails to maintain operations and there is a service disruption. This plan
focuses on restarting the operations using a prioritized resumption list.
(a) What are the issues, which are emphasized by the methodology for (5)
developing a business continuity plan?
(b) Explain the objectives of performing Business Continuity Planning tests. (5)
(c) What are the issues, written in a contract that should be ensured by security (5)
administrators if a third-party site is to be used for recovery purposes?
(d) What is meant by Business Continuity Planning? Explain the areas covered (5)

by Business Continuity.
Q.no. 2
a) Explain in brief the classification of Systems. (6)
b) An important task for the auditor as a part of his/her preliminary evaluation is to gain a good
understanding of the technology environment and related control issues. Explain major aspects
that should be considered in this exercise. (6)
c) Explain the key functions of IT Steering Committee in brief. (4)
Q.no. 3
a) What is the vision of National Cyber Security Policy 2013? Also explain its major objectives.
(6)
b) Discuss the Benefits and Challenges for Social Networks using Web 2.0. (6)
c) Discuss various types of Information Security polices and their hierarchy. (4)
Q. no. 4
a)Discuss Integrated Test Facility (ITF) technique of continuous audit in detail (6)
b)Explain major strengths and weaknesses of Spiral model. (6)
c)While developing a Business Continuity Plan, what are the key tasks that should be covered
i the se o d phase Vulnerability Assessment a d Ge e al defi itio of ‘e ui e e t ? (4)
Q.no.5

a) Explain in brief the Internet and Intranet Controls (6)
The success of the process of ensuring business value from use of IT? (6)
can be measured by evaluating the benefits realized from IT enabled investments and
services portfolio and how transparency of IT costs, benefits and risk is i ple e ted .
Explain some of the key metrics, which can be used for such evaluation
c) Briefly explain Auditor Selection Norms with reference to the requirements of SEBI for (4)
System Controls & Audit.
Q.no.6
a) Write short note on audit of business continuation/disaster recovery plan (6)
b) What do you understand by TPS? Explain basic features of a TPS in brief. (6)
c) Briefly explain major update controls with reference to database controls in brief. (4)
Q.no.7
a) Basic Plan with reference to IS Audit
b) Trojan Horse
c) System Testing
d) Data Coding Controls
e) Authentication of Electronic Records

All chapters

Marks
Q.no 1.
ABC Ltd. is a company dealing in various computer hardware items through its various
offices in India and abroad. By recognizing the advantages of connectivity through
internet, recently, the company decided to sell its products in on-line mode also to
fa ilitate its usto e s o ld ide. Fo de elop e t of the o pa s e appli atio s,
the company appointed a technical consultant initially for one year to work on behalf of
the company to take the matter forward. The consultant called various meetings of
different stakeholders and decided to follow the best practices of SDLC for its different
phases. In the current vulnerable world, keeping the importance of information security
in view particularly, he further suggested to consider the security issues from the
inception itself i.e. starting from the requirements analysis phase till maintenance.
Accordingly, efficient ways were also explored to achieve the goals especially for security.
Research Studies reveal that cost and efforts may be reduced up to a considerable level
by incorporating security from the beginning in the SDLC. Read the above carefully and
answer the following:
(a) What is SDLC? Explain the key activities performed in the Requirements Analysis
phase. (5)
(b) Agile methodology is one of the popular approaches of system development. What
are the weaknesses of this methodology in your opinion? (5)
(c) What are the two primary methods through which the analyst would have collected

the data ? (5)
(d) State and briefly explain the stages of System Development Life Cycle (SDLC). (5)
Q.no. 2
a) What are the major aspects that should be thoroughly examined by an IS Auditor during the
audit of Environmental Controls? Explain in brief. (6)
b) Briefly explain Prototyping approach. Also discuss major weaknesses of Prototyping model.
(6)
c) Discuss the maintenance tasks undertaken in the development of a BCP in brief. (4)
Q.no. 3
a) Write a short note on System Development Controls. (6)
b) Discuss some of the sample metrics for reviewing the process of evaluating and
policies. (6)
What a e the ajo p o isio s o ‘ete tio of Ele t o i ‘e o ds ith reference to

Information Technology Act 2000? Explain in brief. (4)
Q. no. 4
a) Write a short note on major activities that should be carried out in implementation. (6)
b)What is Decision Support System (DSS)? Explain the key characteristics of a DSS in brief. (6)
c)Explain five organization control techniques in brief. (4)

Q.no.5
a) Discuss some of the important implications of Information Systems in business. (6)
b) The Information Security Policy of an organization has been defined and documented as
given below:
Ou o ga izatio is o itted to e su e I formation Security through established goals and

principles. Responsibilities for implementing every aspect of specific applicable proprietary and
general principles, standards and compliance requirements have been defined. This is reviewed
at least once a ea fo o ti ued suita ilit ith ega d to ost a d te h ologi al ha ges.
Discuss Information Security Policy and also identify the salient components that have not been
covered in the above policy (6)
c)Discuss key management practices, which are needed to be implemented for evaluating
hethe usi ess alue is de i ed f o IT i a o ga izatio . (6)
Q. no. 6
a) Briefly explain requirements of RBI for System Controls. (6)
b) Explain some of the tangible benefits of mobile computing. (6)
c)Explain major cyber-attacks reported by various agencies in recent years. (4)
Q.no.7
a) Risk Assessment
b) Attack, Exposure, Likelihood of threat
c) Components of Information Systems

d) Detective Controls
e) Continuous and Intermittent Simulation (CIS) technique

SECTION 4 – Solutions to test papers
Test -1 Solutions -- “ ap il Pat i s Classes
All chapters

Marks
Q.no 1.
a) What are the major data integrity policies you would suggest ? (5)
b) What are the categories of tests that a programmer typically performs on a program unit ?
c) Discuss some of the crucial controls required in a computerized environment. (5)
d) What are your recommendations for efficient use of computer and IT resource to
a hie e the o je ti es of G ee Co puti g ? (5)
Q.no. 2
a) ABC Ltd. is a security market intermediary, providing depository services. Briefly explain the
relevant requirements with respect to annual systems audit mandated by SEBI in this regard.
(ISCA class notes Pg no-302) (6)
b) Discuss some of the pertinent objectives in order to achieve the goals of Cloud Computing.

c) As an IS auditor, what are the risks reviewed by you relating to IT systems and processes as
part of your functions ?
Q.no. 3
a) Modern business uses Information Technology to carry out basic functions including
systems for sales, advertisement, purchase, management reports etc. Briefly discuss
some of the IT tools crucial for business growth.
(ISCA class notes Pg no-94 & 95) (6)
M . X has ope ed a e depa t e tal sto e and all activities are computerized. He
uses Personal Computers (PCs) for carrying out the business activities. As an IS auditor,
lists the risks related to the use of PCs in the business of M . X a d suggest a t o
security measures to be exercised to overcome them.
c) What do you understand by IT Governance? Write any three benefits of IT Governance
Q. no. 4
a) As an IS auditor, what are the output controls required to be reviewed with respect to
application controls?
b) You are appointed by a leading enterprise to assess and to evaluate its system of IT internal
controls. What are the key management practices to be followed to carry out the
assignment complying with COBIT 5? (6)

c) Discuss briefly, the four phases of Information Security Management System (ISMS)
prescribed by ISO 27001. (4)
Q.no.5
a) While doing audit or self assessment of the BCM Program of an enterprise, briefly describe
the matters to be verified. (6)
b) What do you mean by Expert System? Briefly explain some of the properties that potential
applications should possess to qualify for an expert system development. (6)
c) What are the repercussions of cyber frauds on an enterprise? (4)
Q. no. 6
a) Compared to traditional audit, evidence collection has become more challenging with the
use of computers to the auditors. What are the issues which affect evidence collection
and understanding the reliability of controls in financial audit? (6)
b) Define the Agile model of software development and discuss its strengths. (6)
c) Explain the objectives of Business Continuity Management Policy briefly. (4)

Q.no.7
a) Operating System Security
b) Internal Controls as per COSO
c) Risk, Vulnerability, Threat
d) Types of Backups
e) Design of database

All chapters

Marks
Q.no 1.
(a) What are three major attributes of information security? Out of these attributes, which
attribute will be having the highest priority while developing web based knowledge
portal? (5)
(b) What may be the possible dimensions under which the feasibility study of the proposed
Knowledge Portal was done in your opinion? (5)
(c) What may be the major validation methods fo alidati g the e do s proposal for developing
the Knowledge Portal? (5)
(d) What are the two primary methods through which the analyst would have collected the data
(ISCA class notes Pg no-) (5)
Q.no. 2
a) What are the factors that influence an organization towards controls of computers? (6)

b) Briefly explain various risk management strategies. (6)
c) Discuss the main provisions provided in Information Technology Act 2000 to facilitate e-
Governance. (4)
Q.no. 3
a) Explain in brief the components of BCM process. (6)
b) Discuss major characteristics of an effective MIS. (6)
c) Explain different classifications of information. (4)
Q. no. 4
a) Briefly explain requirements of IRDA for System Controls & Audit. (6)
b) Explain, in brief, the characteristics of Cloud Computing. (6)
c) Explain the set of skills that is generally expected of an IS auditor. (4)
Q.no.5
a The e is a p a ti al set of principles to guide the design of measures and indicators to be

included i a EI“ . E plai those principles in brief.
b) Write short note on Physical Security with reference to Computer Centre Security and Controls.
c) Describe the major benefits achieved through proper governance in an organization. (4)
Q. no. 6
a) Explain major stages/steps of IS Audits in brief. (6)
b) What is incremental model of system development? Also discuss its major strengths. (6)
c) Discuss the objectives of Business Continuity planning. (4)
Q.no.7
a) Functions of IS Auditor (ISCA class notes Pg no-239)
b) Role of IT in enterprises (ISCA class notes Pg no-19)
c) Audit Hook (ISCA class notes Pg no-252)
d) Alternate Processing Facility Arrangements (ISCA class notes Pg no-171)
e) Unit Testing (ISCA class notes Pg no-219)

All chapters

Marks
Q.no 1.
a Des i e a ou ta ts i ol e e t i de elop e t o k i ief. (5)
Wate fall app oa h is o e of the popula app oa hes fo s stem de elop e t . E plai the
basic principles of this approach. (5)
(c) Briefly describe major characteristics of Agile Methodology. (5)
(d) What do you mean by system requirement analysis? What are the activities to be performed
during system requirement analysis phase? (5)
Q.no. 2
a) Briefly explain requirements of RBI for System Audit. (6)

b) Briefly discuss the advantages of Cloud Computing. (6)

c) Write a short note on Integrating COBIT 5 with other frameworks. (4)
Q.no. 3
a) What is Information? Briefly discuss some of its attributes. (6)
b) What do you understand by SCARF technique? Explain various types of information collected
by using SCARF technique in brief. (6)
c) What do you understand by GEIT? Also explain any three benefits of GEIT. (4)
Q. no. 4
a) Discuss two main categories of Data Management Controls in detail. (6)
b) Discuss the key management practices, which are required for aligning IT strategy
with enterprise strategy. (6)
c) Briefly discuss the volumes of ITIL framework. (4)

Q.no.5
a) Describe the methodology of developing a Business Continuity Plan. (6)

b) What is EIS? Explain major characteristics of an EIS. (6)
c) Write short note on Compensatory Controls. (4)
Q. no. 6
a) Describe major advantages and disadvantages of continuous audit techniques. (6)
b) Discuss the key characteristics of Waterfall Model in brief. Also explain its major weaknesses.
c) Explain the objectives of performing BCP tests while developing a business continuity plan.
Q.no.7
a) Processing Controls
b) Five Principles of COBIT 5.
c) Threats of BYOD

d) Types of Plans
e) Data Dictionary

All chapters

Marks
Q.no 1.
(a) What are the issues, which are emphasized by the methodology for developing a business
continuity plan? (5)
(b) Explain the objectives of performing Business Continuity Planning tests. (5)
(c) What are the issues, written in a contract that should be ensured by security administrators
if a third-party site is to be used for recovery purposes? (5)
(d) What is meant by Business Continuity Planning? Explain the areas covered by Business
Continuity (5)
Q.no. 2
a) Explain in brief the classification of Systems. (6)


b) An important task for the auditor as a part of his/her preliminary evaluation is to gain
a good understanding of the technology environment and related control issues.
Explain major aspects that should be considered in this exercise.
c) Explain the key functions of IT Steering Committee in brief. (4)
Q.no. 3
a) What is the vision of National Cyber Security Policy 2013? Also explain its major objectives.
b) Discuss the Benefits and Challenges for Social Networks using Web 2.0. (6)
c) Discuss various types of Information Security polices and their hierarchy. (4)
Q. no. 4
a) Discuss Integrated Test Facility (ITF) technique of continuous audit in detail. (6)
b) Explain major strengths and weaknesses of Spiral model. (6)
c) While developing a Business Continuity Plan, what are the key tasks that should be covered
in the second phase Vulnerability Assessment and Ge e al defi itio of ‘e ui e e t ? (4)

Q.no.5
a) Explain in brief the Internet and Intranet Controls (6)
The su ess of the p o ess of e su i g usi ess value from use of IT can be measured by
evaluating the benefits realized from IT enabled investments and services portfolio and
how transparency of IT costs, benefits and risk is i ple e ted . E plai so e of the ke
metrics, which can be used for such evaluation (6)
c) Briefly explain Auditor Selection Norms with reference to the requirements of SEBI for
System Controls & Audit. (4)
Q.no.6
a) Write short note on audit of business continuation/disaster recovery plan (6)
b) What do you understand by TPS? Explain basic features of a TPS in brief. (6)
c) Briefly explain major update controls with reference to database controls in brief.
Q.no.7
a) Basic Plan with reference to IS Audit (ISCA class notes Pg no-244)
b) Trojan Horse (ISCA class notes Pg no-127)

c) System Testing (ISCA class notes Pg no-223)
d) Data Coding Controls (ISCA class notes Pg no-267)
e) Authentication of Electronic Records (ISCA class notes Pg no-281)

All chapters

Marks
Q.no 1.
(a) What is SDLC? Explain the key activities performed in the Requirements Analysis
phase. (5)
(b) Agile methodology is one of the popular approaches of system development. What
are the weaknesses of this methodology in your opinion? (5)
(c) What are the two primary methods through which the analyst would have collected the data ?
(ISCA class notes Pg no-) (5)
(d) State and briefly explain the stages of System Development Life Cycle (SDLC).
Q.no. 2
a) What are the major aspects that should be thoroughly examined by an IS Auditor during the
audit of Environmental Controls? Explain in brief. (6)
b) Briefly explain Prototyping approach. Also discuss major weaknesses of Prototyping model.

c) Discuss the maintenance tasks undertaken in the development of a BCP in brief.
Q.no. 3
a) Write a short note on System Development Controls. (6)
b) Discuss some of the sample metrics for reviewing the process of evaluating and
policies. (6)
What a e the ajo p o isio s o ‘ete tio of Ele t o i ‘e o ds ith reference to
Information Technology Act 2000? Explain in brief. (4)
Q. no. 4
a) Write a short note on major activities that should be carried out in implementation. (6)
b) What do you mean by TPS? Explain basic features of a TPS in brief. (6)
c) Explain five organization control techniques in brief. (4)

Q.no.5
a) Discuss some of the important implications of Information Systems in business. (6)
b) The Information Security Policy of an organization has been defined and documented as
given below:
Ou organization is committed to ensure Information Security through established goals

and principles. Responsibilities for implementing every aspect of specific applicable
proprietary and general principles, standards and compliance requirements have been
defined. This is reviewed at least once a year for continued suitability with regard to cost
a d te h ologi al ha ges.
Discuss Information Security Policy and also identify the salient components that have not
been covered in the above policy (6)
c) Discuss key management practices, which are needed to be implemented (4)
fo e aluati g hethe usi ess alue is de i ed f o IT i a o ga izatio .
Q. no. 6
a) Briefly explain requirements of RBI for System Controls. (6)
b) Explain some of the tangible benefits of mobile computing. (6)
c) Explain major cyber-attacks reported by various agencies in recent years (4)

Q.no.7
a) Risk Assessment
b) Attack, Exposure, Likelihood of threat
c) Components of Information Systems
d) Detective Controls
e) Continuous and Intermittent Simulation (CIS) technique.

Question Bank by Swapnil Patni PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Question Bank by Swapnil Patni PDF

Caricato da

Copyright:

Formati disponibili

SECTION 1-QUESTIONS AND ANSWERS

Concepts of Governance and Management of

Write short notes on the following with reference to Governance Dimensions:

(i) Conformance or Corporate Governance Dimension

(ii) Performance or Business Governance Dimension

(ISCA class notes Pg no-11 & 12)

Write short note on the Role of IT in enterprises.

(ISCA class notes Pg no-19

Explain the key functions of IT Steering Committee in brief.

(ISCA class notes Pg no-21)

Explain the following terms with reference to Information Systems:

(i) Risk(ISCA class notes Pg no-31)

(ii) Threat(ISCA class notes Pg no-30)

(iii) Vulnerability(ISCA class notes Pg no-29)

CA Swapnil Patni Page 1

(v) Attack(ISCA class notes Pg no-31)

(i) Likelihood of threat

(iii) Residual Risk

• Tolerate/Accept the risk

• Te i ate/Eli i ate the risk

• Transfer/Share the risk

• Treat/mitigate the risk

Discuss the five principles of COBIT 5 in brief.

(ISCA class notes Pg no-42)

Principle 1: Meeting Stakeholder Needs

Principle 2: Covering the Enterprise End-to-End

Principle 3: Applying a Single Integrated Framework

Principle 4: Enabling a Holistic Approach

Principle 5: Separating Governance from Management

Discuss various categories of enablers under COBIT 5.

CA Swapnil Patni Page 2

The su ess of the p o ess of e su i g usi ess alue f o use of IT a e easu ed

(ISCA class notes Pg no-27)

(ISCA class notes Pg no-39)

SIMILAR TYPE OF QUESTIONS

1) Responsibilities are assigned

2) Desirable behavior for IT

3) Implementing desirable business process

4) Internal relationship- improved

5) Aligned decision making

CA Swapnil Patni Page 3

C) Explain the key benefits of GEIT.(ISCA class notes Pg no-14)

1) IT aligned with enterprise governance

2) IT related decisions line with enterprise strategies

3) Compliance with law

4) IT related process effective

5) IT ensures governance-board members are met

(ISCA class notes Pg no-26)

(C) Describe the key governance practices of risk management.

CA Swapnil Patni Page 4

1) Evaluate 2) Direct 3) Monitor

1) Understand enterprise direction

2) Assess the current environment, capabilities and performance

3) Define the target IT capabilities

4) Conduct a gap analysis

5) Define the strategic plan and road map

6) Communicate the IT strategy and direction

(B) Describe key management practices for implementing risk management.

(ISCA class notes Pg no-35)

3) Maintain a risk profile

5) Define a risk management action portfolio

1) Identify external compliance requirements

2) Optimize response to external requirements