YASEEN TOWETT MELLY

SCT221-C004-0323/2015
ASSIGNEMENT
INFORMATION SYSTEMS AUDIT

1)describe the term risk in information systems assurance and audit (2marks)

Audit risk refers to the risk that an auditor may issue an unqualified report due to the auditor's
failure to detect material misstatement either due to error or fraud. This risk is composed of
inherent risk (IR), control risk (CR) and detection risk (DR)
2)describe the various threats which exist in organization due to cybercrimes (6marks)

internal attacks
Internal attacks are one of the largest cyber security threats facing organisations today. Rogue
employees, especially those with access to networks, sensitive data or admin accounts, are
capable of causing real damage.
phishing
Despite constant warnings from the cyber security industry, organisations still fall victim to
phishing every day. As cyber crime has become well-funded and increasingly sophisticated,
phishing remains one of the most effective methods used by criminals to introduce malware into
organisations.
spear phishing
Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to
originate from someone the recipient knows and trusts – like senior management or a valued
client.
DDOS attack
If a small businesses relies on a website or other online service to function, the outages caused by
DDoS attacks will be catastrophic. Most DDoS attacks last between 6-24 hours
malware
Malware is a blanket term that encompasses any software that gets installed on a machine to
perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but
others exist, including spyware, adware, bots and Trojans.To prevent malware from taking hold,
businesses should invest in solid anti-virus technology
SQL injection
SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database
sitting behind a web application. This is achieved by sending malicious SQL commands to the
database server, typically by inputting code into forms – like login or registration pages.
WIFi eavesdropping
WiFi eavesdropping is another method used by cyber criminals to capture personal information.
Virtual “listening in” on information that's shared over an unsecure (not encrypted) WiFi
network.
3)outline the concepts of risk assessment and the process followed in risk assessment/
management (8marks)

Step 1: Identify the hazards

In order to identify hazards you need to understand the difference between a ‘hazard’ and ‘risk’.
A hazard is ‘something with the potential to cause harm’ and a risk is ‘the likelihood of that
potential harm being realised’.

Step 2: Decide who might be harmed and how

Once you have identified a number of hazards you need to understand who might be harmed and
how, such as ‘people working in the warehouse’, or members of the public.
Step 3: Evaluate the risks and decide on control measures

After ‘identifying the hazards’ and ‘deciding who might be harmed and how’ you are then
required to protect the people from harm. The hazards can either be removed completely or the
risks controlled so that the injury is unlikely.

Step 4: Record your findings

Your findings should be written down it’s a legal requirement where there are 5 or more
employees; and by recording the findings it shows that you have identified the hazards, decided
who could be harmed and how, and also shows how you plan to eliminate the risks and hazards.

Step 5: Review your assessment and update as and when necessary

You should never forget that few workplaces stay the same and as a result this risk assessment
should be reviewed and updated when required.

4)describe the following techniques for risk evaluation (6marks)

Delphi technique
The Delphi method is a forecasting method based on the results of questionnaires sent to a panel
of experts. Several rounds of questionnaires are sent out, and the anonymous responses are
aggregated and shared with the group after each round. The experts are allowed to adjust their
answers in subsequent rounds. Since multiple rounds of questions are asked and the panel is told
what the group thinks as a whole, the Delphi method seeks to reach the correct response through
consensus.

Scoring approach
Many methods for risk assessment involve the use of scoringmethods in which the severity of
each risk factor is rated on an ordinal scale. The resulting values are then combined by additive
weighting or by multiplication to compute an aggregate measure of overall risk.On an ordinal
scale, factors such as likelihoods are assigned numbers in such a way that the order of the
numbers reflects the order of the factors on an underlying attribute scale.

5)Describe the concept of business continuity planning and the area it covers (8marks)

Business continuity planning (BCP) is the creation of a strategy through the recognition of
threats and risks facing a company, with an eye to ensure that personnel and assets are protected
and able to function in the event of a disaster. Business continuity planning involves defining
potential risks, determining how those risks will affect operations, implementing safeguards and
procedures designed to mitigate those risks, testing those procedures to ensure that they work,
and periodically reviewing the process to make sure that it is up to date.

Four Steps to Developing a Business Continuity Plan

Conduct a business impact analysis to identify time-sensitive or critical business functions and
processes and the resources that support them.
Identify, document, and implement to recover critical business functions and processes.
Organize a business continuity team and compile a business continuity plan to manage a business
disruption.
Conduct training for the business continuity team and testing and exercises to evaluate recovery
strategies and the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the
effects resulting from disruption of business functions and processes. It also uses information to
make decisions about recovery priorities and strategies.

6)Describe the phases of business continuity planning (8marks)

Phase 1: Identify the risks

The first phase is to conduct a risk assessment, identifying any potential hazards that could
disrupt your business. Consider any type of risk your team can imagine, including natural threats,
human threats and technical threats.

Phase 2: Analyze the risks you face

Next, you’ll perform a business impact analysis (BIA) to gauge the impact of each potential risk.
For each risk, determine how severe the impact would be and how long your business could
survive without those processes running. Consider what is absolutely necessary for recovery,
how quickly it needs to happen, what are your minimum operating resources are and any
dependencies, either internal or external.

Phase 3: Design your strategy

Now it’s time to figure out strategies to mitigate interruptions and to quickly recover from them.
Consider everything you’ll need to protect your people, your assets and you’re your functions.
Start by comparing your current recovery capabilities to your business requirements and how
you will fill that gap.

Phase 4: Plan development and execution

Finally, it’s time to create a concise, well organized and easy-to follow document or set of
documents. Consider everyone that may use the plan, and document it in a way that will be most
useful when your business is suffering an interruption. Then publish the plan, socialize it and
train your staff on how to use it

Phase 5: Measure your success by testing

A plan isn’t truly a plan until it has been thoroughly tested. There are a variety of tests you
should perform, with each providing different information on how to improve your plan. Tests
can range from a checklist test, a walk-through performed by you your team as if there were an
actual event, emergency evacuation drills.

7)Describe the following standards (7marks)

1. AAS 29
The purpose of this Auditing and Assurance Standard (AAS) is to establish standards on
procedures to be followed when an audit is conducted in a computer information systems
(CIS) environment.
2. COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint
initiative to combat corporate fraud. It was established in the United States by five private
sector organizations, dedicated to guide executive management and governance entities on
relevant aspects of organizational governance, business ethics, internal control, enterprise
risk management, fraud, and financial reporting.
3. ISO 27001
is the international standard that describes best practice for an ISMS (information security
management system). Achieving accredited certification to ISO 27001 demonstrates that
your company is following information security best practice
4. CMM
The Capability Maturity Model (CMM) is a methodology used to develop and refine an
organization's software development process. The model describes a five-level evolutionary
path of increasingly organized and systematically more mature processes.
5. COBIT
Control Objectives for Information and Related Technology. It is a framework created by the
ISACA (Information Systems Audit and Control Association) for IT governance and
management. It was designed to be a supportive tool for managers—and allows bridging the
crucial gap between technical issues, business risks, and control requirements.
6. ITIL
Information Technology Infrastructure Library is a set of detailed practices for IT service
management (ITSM) that focuses on aligning IT services with the needs of business
7. SYBANES OXSLEY
The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S. Congress on July 30, 2002
to protect investors from the possibility of fraudulent accounting activities by corporations.
The Sarbanes-Oxley Act of 2002, also known as the Corporate Responsibility Act of 2002,
mandated strict reforms to improve financial disclosures from corporations and prevent
accounting fraud.