Download Fourth Generation Programming Languages and ICT Infrastructure and more Exams Nursing in PDF only on Docsity!
CISA CH 3 Exam 133 Questions with Verified Answers
Project governance and management - CORRECT ANSWER IS auditor's role is to ensure that rules of system development like SoD are not compromised Components of project management are initiating, planning, executing, controlling, monitoring and closing Three types of project management org structures - CORRECT ANSWER Functional-structured organization-project manager only has a staff function without formal management authority manager advises peers and team members only as to which activities should be completed Project structured organization-project manager has formal authority over those taking part in the project, such as over budget, schedule and teams Matrix structured project organization-management authority is shared between the project manager and the department head Requests for projects should be submitted to IT steering committee, who should identify a project manager
- Manager should be given control over the project and allocate appropriate resources Project steering committee - CORRECT ANSWER provides overall direction and ensures stakeholders are represented in project outcome Should be comprised of a senior representative from each area that will be impacted by the project Project manager should also be a member of the committee Should review project progress regularly and hold emergency meetings when required
Should coordinate and advise the project Should take corrective action if necessary Senior management - CORRECT ANSWER should commit to the project and approve necessary resources Project sponsor - CORRECT ANSWER funds the project and works with project manager to define critical success factors and measures of success User management - CORRECT ANSWER owns the project and resulting system, allocates representatives to the team and actively participates in system planning User project team - CORRECT ANSWER completes tasks, communicates with system developers as subject matter experts, advises project manager of expected and actual plan deviations Project manager - CORRECT ANSWER provides day-to-day management and leadership of the project Quality assurance - CORRECT ANSWER reviews results and deliverables within each phase and at the end of each phase Systems development management - CORRECT ANSWER provides technical support for hardware and software environments Provides assurance that system is compatible with current IT environment and direction Systems development project team - CORRECT ANSWER completes tasks, talks to users by involving them in development process Security officer/team - CORRECT ANSWER ensures that system controls and processes provide adequate protection, consults on security measures of project, reviews plans and reports prior to implementation. Periodically monitors security Information system security engineer - CORRECT ANSWER applies engineering principles to identify security vulnerabilities and minimize risk
ROI - CORRECT ANSWER IS auditor should look at how business defines ROI for projects If org fails to meet ROI consistently, it may mean there is a weakness in SDLC or project management practices project initiation - CORRECT ANSWER Project is initiated by manager or sponsor gathering information for approval of project Compiled into project charter that states objective, stakeholders, and manager and sponsor Project initation document or project request document (PID/PRD) are approved for project to officially begin. Initiation may be achieved through: -One-on-one meetings-facilitates communication between team members and manager -Kickoff meetings-informs team of what has to be done -Project start workshops-ensures communication is open and clear among team members and increase cooperation -A combination of the three above defining project goals - CORRECT ANSWER To define goals for project, common approach is to start with object breakdown structure (OBS)-represents individual components of solution and their relationships in hierarchy work breakdown structure - CORRECT ANSWER Next, work breakdown structure (WBS) is designed to structure tasks necessary for project Represents project in terms of manageable units of work, servers as communication tool for the project, and forms the baseline for cost and resource planning
- Work packages (WPs) have individual packets of work for team members with more detailed info Key WBS points to remember: - CORRECT ANSWER Top level represents final deliverable or project Subdeliverables contain WPs that are assigned to specific units All elements to not need to be defined to the same level WPs define work, duration and costs for the tasks required to produce subdeliverables WPs should not exceed 10 days WPs need to be independent of each other WPs should not be duplicated in the WBS scope of project - CORRECT ANSWER Project manager should decide scope of project, tasks to be performed, priority of tasks, budget for tasks, source of funding for resources Some ways of sizing and measuring project include: - CORRECT ANSWER Analogous estimating-using prior projects to estimate cost, quickest technique Parametric estimating-manager looks at the past data from above and uses statistics to develop an estimate, more accurate than analogous Bottom up estimating-cost of each activity is estimated in more detailed way and added up to find estimate. Most accurate but most time-consuming Actual costs-extrapolates from actual costs that were incurred on the same system during past projects
Timebox management - CORRECT ANSWER Timebox management-technique for defining and deploying software deliverables within a short fixed time and with specific resources
- Need to balance quality and time needed to deliver
- Prevents cost overruns and delays from scheduled delivery
- System testing and user acceptance testing are done together to save time project change requests during project - CORRECT ANSWER Stakeholders are the only people allowed to submit change requests to project manager, who should review the impact on scope, schedule and budget Earned value analysis - CORRECT ANSWER Earned value analysis-compare metrics at regular intervals such as: Budget to date Spending to date Estimate to complete An IS auditor must understand the system being implemented and do tasks such as: - CORRECT ANSWER Meet with systems development and user project team members to determine components, objectives, and user requirements to identify areas that need controls Discuss selection of controls with system development and user project team members to determine and rank risk exposures Discuss references to authoritative sources with team to identify controls to mitigate risk Evaluate controls and participate in discussions to advise project team regarding design of system and implementation of controls
Periodically meet with team to review documentation and deliverables to monitor process to ensure controls are implemented, requirements are met, and development methodology is being followed
- Test existing controls to ensure integrity of production environment
- Participate in post-implementation reviews Business case and feasibility analysis - CORRECT ANSWER In a well-planned project, there will be decision points (stage gates or kill points) when a business icase is reviewed to ensure that it is still valid After approval, analysis is done to define the needs and identify alternatives to solving the need, known as feasibility study. Includes: feasibility analysis includes: - CORRECT ANSWER Project scope Current analysis-understanding of a system, software etc. Analysis may determine that current product is working correctly, modifications are needed, or complete upgrade is needed Requirements-define project requirements based on stakeholder needs and constraints Approach-course of action to satisfy the requirements for the system or software solution.
- Says alternatives considered and rationale behind decision Evaluation-examination of cost-effectiveness based on previously completed elements in feasibility study.
- Includes total cost of project and summary including cost-benefit, ROI, etc Review-reviews previous elements to validate the completeness and accuracy of feasibility study and render decision to approve or reject the project IS auditor should review feasibility and study and: - CORRECT ANSWER Review the criticality of the system process requirements
End user centric-objective is to provide different views of data for their performance optimization
- Use alternative development approaches
- Example: decision support systems, geographic information systems Situations that initiate development projects - CORRECT ANSWER Situations that initiate development projects are closely related to key business divers key business divers-attributes of a business function that drive the behavior and implementation of that function to achieve strategic goals when does waterfall SDLC work best - CORRECT ANSWER Waterfall SDLC normally work best when project requirements are stable and well defined
- Provides a template into which methods for the requirements can be placed
- Can be inflexible to changes, and needs clearly defined requirements at the beginning of the product development cycle Verification and validation model - CORRECT ANSWER Verification and validation model (v model)-emphasizes the relationship between development phases and testing levels
- Unit test occurs immediately after programs are written to validate the detailed designs SDLC phases - CORRECT ANSWER Phase 1-feasibility study-concerned with analyzing benefits and solutions for problem area Phase 2-requirements definition-identifies business requirements of the system during feasibility study Phase 3A-software selection and acquisition-evaluate risk and benefits of developing new system vs acquiring from a vendor Phase 3B-desgin-detailed design based on user requirements in Phase 4A-configuration-defining, tracking and controlling changes in an acquired system to meet business needs Phase 4B-Development-use detailed design from 3B to develop system
Phase 5-Final testing and implementation-actual operation is established and tested and final UAT is done Phase 6-post implementation review-make sure system is designed and developed well and that proper controls are in place Phase 1 - CORRECT ANSWER Defines a time frame for implementation Looks at alternatives and determines if existing system could work with some workarounds Determines vendor products and approximate cost Resource requirements, compatibility with business plans Risk and regulatory compliance Compatibility with existing IT infrastructure Likely future requirements for changes to functionality phase 2 - CORRECT ANSWER What the system should do, how users interact with it, information criteria the system should meet Looks at nonfunctional requirements (ie access control) Project team should consult stakeholders, analyze requirements for conflicts, identify system bounds, identify security requirements, record requirements, and verify that requirements are complete, consistent, verifiable, testable, and traceable IS auditor should look at the degree to which the security engineering team is involved in developing security controls. Also look at regulatory and legal requirements
- Should review flowcharts for adherence to general design
- Review appropriateness of input, process and output controls
- Review key system users to determine their understanding of operation
- Assess adequacy of audit trails
- Review quality assurance results
- Perform risk assessment Phase 4 - CORRECT ANSWER Coding, debugging, developing data conversion systems from old system to new Creating user procedures Training selected users on system use Identifying secure code and configuration standards Should use structured programming techniques to divide system into independent functions Integrated development environment (IDE) allows programmers to code interactively, lowering development cost and time
- Could cause multiple versions of programs, reduce program integrity through potential for unauthorized access or changes, possibility that valid changes could be overwritten by other changes Debugging tools assist programmers in debugging, fixing, or fine tuning programs under development
- Logic path monitors-report on sequence of events performed by programming, giving clues on logic errors
- Memory dumps-provide picture of internal memory's content at one point in time. When program fails, gives clues to inconsistency in data or parameter values
- Output analyzers-check results of program execution for accuracy by comparing expected with actual results phase 5 - CORRECT ANSWER Implementation should be coordinated by user management with the help of IS management (not vendor to avoid unauthorized changes by vendor's employees)
phase 6 - CORRECT ANSWER Evaluate projected cost benefits, look at inadequacies, develop plan for new recommendations agile model - CORRECT ANSWER Iterative model (agile)-tested in iterations IS auditors should review the following risk items - CORRECT ANSWER IS auditor should look at risk and exposures in each phase and ensure controls are in place to minimize risk Should review the following activities:
- Levels of oversight by project board
- Risk management methods
- Issue and cost management
- Processes for planning and dependency management
- Reporting processes to management
- Change control processes
- Stakeholder management involvement
- Signoff process IS auditors should look at the following documentation - CORRECT ANSWER Should look at the following documentation:
- Objectives for each phase
- Key deliverables py phases with project personnel assigned direct responsibilities
- Project schedule with key dates
- Economic forecast defining resources and cost of resources there are different methods for designing and developing software systems - CORRECT ANSWER Prototyping (heuristic or evolutionary development)-creates a system through controlled trial and error to reduce risk in developing the system
- Uses classic SDLC with stepwise approach but adds iterative prototypes
- Can either build the model and develop a system based on that or gradually build the actual system
- First approach puts pressure to implement early prototype, people don't get why the prototype cant be put straight into production without scaling
- Deployment stage-final testing and training, data conversion and implementation Object oriented system development - CORRECT ANSWER Object oriented system development (OOSD)-programming technique where data and procedures are grouped into objects. Methods and classes are used to define object interactions and relations Can be used with any software methodologies Can help manage unrestricted variety of data types, model complex relationships, can meet demands of changing environment Component based development - CORRECT ANSWER Component based development-assembling applications from cooperating packages of executable software that have defined interfaces
- Types of components are
- In process client components-run from within host container like a mobile application or virtual machine
- Stand alone client component-expands services to other software like excel and word
- Stand alone server components-processes running on servers that provide services in standardized ways
- In process server components-run on servers within containers like MTS or JavaBeans Benefit is ability to buy proven software from commercial developers as components
- Reduces development time, improves quality, allows developers to focus more on business functionality
- Promotes modularity, simplifies reuse, and reduces cost Web based applications - CORRECT ANSWER Web based applications use different APIs and are hard to integrate, but it allows reduction of redundant code such as changing data in multiple databases Uses simple object access protocol (SOAP)-XML language to define APIs
Web services description language (WSDL)-identifies SOAP specification that is to be used for input and output to the code module Software reengineering and reverse engineering - CORRECT ANSWER Software reengineering and reverse engineering use other code to develop new system, cutting down on development time, but software license agreements can be a problem and decompilers are difficult to use properly Devops - CORRECT ANSWER Devops-integraition of development and operation processes to eliminate conflicts and barriers Often impacts control environment and level of risk, so IS auditor should confirm SoD Requires communication between software development and operations and uses agile extensively Uses automation in development, security and IT operations activities To successfully do BPR, should take following steps: - CORRECT ANSWER Define areas to be reviewed Develop a project plan Gain an understanding of process under review Redesign process Implement the new process Establish continuous improvement Project team needs to do the following: - CORRECT ANSWER Process decomposition to the lowest level required for effectively assessing process Identification of customers, managers or process owners
- Can lack lower-level commands necessary to perfrom types of data-internsive or online operations Environmental independence (portability)-can be sued across archtectures, OSs and telecummnications monitors Software facilities-facilities include ability to design or paint retrieval screen formats, develop training routines and produce graphical outputs Programmer workbench concepts-programmer has access to easy filing facilities, temporary storage, text editing and OS commands Simple language subsets-simple subsets that can be used by less-skilled users Characterized in following ways: - CORRECT ANSWER Query and report generators-produce reports Embedded database 4GLs-depend on self-contained DBMS, makes more user friendly but may not integrate well with other applications Relational database 4GLs-usually an optional feature on vendor's DBMS product line, allow app developer to make better use of DBMS but are not end-user oriented Application generators-development tools generate lower-level programming languages Information and Communication Technologies (ICT) - CORRECT ANSWER Information and Communication Technologies (ICT) departments are often tasked with balancing conflicting requirements for physical infrastructure development like zero data loss and 24/7 availability Must ensure alignment of ICT with corporate standards, provide appropriate security, integrate with legacy systems, allow for infrastructure growth, ensure cost-effective support, and maximize investment
The phases of physical architecture analysis include: - CORRECT ANSWER Review of existing architecture (size limits, physical security issues) Analysis and design Draft functional requirements Vendor and product selection Writing functional requirements Proof of concept (running prototype with documentation and test protocols) project phases of planning the implementation of infrastructure - CORRECT ANSWER 1. procurement phase
- delivery time
- installation plan
- installation test plan When auditing HW/SW acquisition, IS auditor should: - CORRECT ANSWER Determine if the process began with a business need and whether hardware requirements were considered in specifications Determine if several vendors were considered and whether comparison was done according to set criteria Four cases for software acquisition: - CORRECT ANSWER Software is required for generic business process for which vendors are available and software can be implemented without customization Software needs to be customized to suit business processes Software needs to be developed by the vendor