# Statistical sampling minimizes the detection risk.
- Detection risk is the chance that an auditor will not find material misstatements in an entity's financial statements. Detection risk is the risk that the auditor will conclude that no material errors are present when in fact there are.
- Using statistical sampling, probability of error can be objectively quantified and hence detection risk can be minimized.
# compliance testing checks for the presence of controls. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
# Bottom-Up Approach:
Start with testing of individual units such as programs or modules and work upward until a complete system is tested.
Advantages of bottom-up: (i) Test can be started even before all programs are complete (ii) Errors in critical modules can be found early.
#Top-Down Approach:
Test starts from broader level and then gradually moves towards individual programs and modules.
Advantages of top-down: (i) Interface error can be detected earlier (ii) confidence in the system is achieved earlier.
System testing includes (i) Recovery testing (ii) Security testing (iii) Load testing (iv) Volume testing (v) Stress testing & (vi) Performance testing.
# A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed?
A. On the local network B. Outside the firewall C. In the demilitarized zone (DMZ) D. On the server that hosts the web site
The correct answer is: C
Explanation:
The local network doesn't make sense. The public website will be facing the Internet, and the local network should always be behind another layer of firewalls. Traffic for the website will never reach the local network, because the website has to be in a DMZ. As for the server that hosts the website: the IDS is a standalone device, with a very specialized mission that requires lots of pattern matching. So, it's better to have it in a separate, custom-built box. A "soft IDS" that shares hardware with a website could be easily flooded by your typical script-kiddie attacks. So we only have to decide the order of the boxes.
- Internet-IDS-Firewall, or Internet-Firewall-IDS.
Firewalls define DMZs, remember. Internet-IDS-Firewall would be option B and Internet-Firewall-IDS is option C. Firewalls are built to be the first line of defense and face the Internet. The analysis an IDS has to make is usually more complicated (I assume we're talking traditional firewalls, not "next-generation firewalls"), so it's good for the firewall to do the "coarse work" for it. Take a very simple example: if there's only one website on the DMZ, the firewall can filter everything except ports 80 and 443 into the website's address. Then all the IDS has to do is examining the HTTP traffic for web vulnerabilities, CSS, and the like. So option C is clearly the best.
# Actively managing compliance with the contract terms for the outsourced services is the responsibility of IT management.
- Compliance with regulatory requirements is in purview of compliance or legal team.
- Payment is in scope of finance team.
- Penalty for non-compliance is by-product of managing compliance with contract.
# The primary activity of a CA is to issue certificates and to validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA.
- CAs are not responsible of secured communication channel. Private keys are not made available in public domain.
# Board of directors in any organisation have ultimate responsibility for the development of IS security function.
- Security committee performs as per the direction of board.
- The IS department is responsible for the execution of the policy.
- IS audit department need to ensure proper implementation of IS security policy and in case of any deviation need to report to management
- Detection risk is the chance that an auditor will not find material misstatements in an entity's financial statements. Detection risk is the risk that the auditor will conclude that no material errors are present when in fact there are.
- Using statistical sampling, probability of error can be objectively quantified and hence detection risk can be minimized.
# compliance testing checks for the presence of controls. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
# Bottom-Up Approach:
Start with testing of individual units such as programs or modules and work upward until a complete system is tested.
Advantages of bottom-up: (i) Test can be started even before all programs are complete (ii) Errors in critical modules can be found early.
#Top-Down Approach:
Test starts from broader level and then gradually moves towards individual programs and modules.
Advantages of top-down: (i) Interface error can be detected earlier (ii) confidence in the system is achieved earlier.
System testing includes (i) Recovery testing (ii) Security testing (iii) Load testing (iv) Volume testing (v) Stress testing & (vi) Performance testing.
# A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed?
A. On the local network B. Outside the firewall C. In the demilitarized zone (DMZ) D. On the server that hosts the web site
The correct answer is: C
Explanation:
The local network doesn't make sense. The public website will be facing the Internet, and the local network should always be behind another layer of firewalls. Traffic for the website will never reach the local network, because the website has to be in a DMZ. As for the server that hosts the website: the IDS is a standalone device, with a very specialized mission that requires lots of pattern matching. So, it's better to have it in a separate, custom-built box. A "soft IDS" that shares hardware with a website could be easily flooded by your typical script-kiddie attacks. So we only have to decide the order of the boxes.
- Internet-IDS-Firewall, or Internet-Firewall-IDS.
Firewalls define DMZs, remember. Internet-IDS-Firewall would be option B and Internet-Firewall-IDS is option C. Firewalls are built to be the first line of defense and face the Internet. The analysis an IDS has to make is usually more complicated (I assume we're talking traditional firewalls, not "next-generation firewalls"), so it's good for the firewall to do the "coarse work" for it. Take a very simple example: if there's only one website on the DMZ, the firewall can filter everything except ports 80 and 443 into the website's address. Then all the IDS has to do is examining the HTTP traffic for web vulnerabilities, CSS, and the like. So option C is clearly the best.
# Actively managing compliance with the contract terms for the outsourced services is the responsibility of IT management.
- Compliance with regulatory requirements is in purview of compliance or legal team.
- Payment is in scope of finance team.
- Penalty for non-compliance is by-product of managing compliance with contract.
# The primary activity of a CA is to issue certificates and to validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA.
- CAs are not responsible of secured communication channel. Private keys are not made available in public domain.
# Board of directors in any organisation have ultimate responsibility for the development of IS security function.
- Security committee performs as per the direction of board.
- The IS department is responsible for the execution of the policy.
- IS audit department need to ensure proper implementation of IS security policy and in case of any deviation need to report to management
No comments :
Post a Comment