Ans.

(a)

Possible weaknesses in the existing VSDS of PFL are as follows: (i) (ii) (iii) (iv) (v) (vi) (i)

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examinations Summer 2011 Lack of segregation of duties as the Warehouse Superintendent is maintaining the stock record. Data maintained by Superintendent in Excel sheets is vulnerable to changes. Possibilities of intentional over-charging by the salesman (fraud), resulting in customer dissatisfaction when the error is detected. Possibilities of errors such as inaccurate pricing and arithmetical inaccuracies. The opportunity to track good cash customers is being lost by maintaining record of credit customers only. Itemized detail of products issued and returned is not maintained. Handheld devices / PDAs (Personal Digital Assistants) or even new generation mobile phones may be used as front end (input device) to capture transactions electronically at different stages of transaction, i.e. loading of inventory, making sales / collection, collecting expired products etc. These devices would be supported with printers for issuing instant invoices / receipts / credit memos. At the end of trip, each salesman would place handheld computer / PDA in a Hub connected with the backend software which would instantly capture information from it onto the main database.

(b)

The tools and technologies available to automate the VSDS and their working is described below: (ii)

(c)

(iii) (i)

PFL could obtain following benefits after automation of its VSDS (ii) (iii) (iv) (v) (vi)

(vii) (viii) (ix) (x)

Integration of Sales, Warehousing and Accounting will reduce errors in recording of sales and warehousing transactions. Reduce paperwork. Time saving from company as well as the customer point of view. Instant capturing of transaction from Front end device / PDA into Back Office Accounting system. Management would have access to complete data relating to individual customers, categories of customers, region wise sales etc. Management would have better control over activities of Van Salesman and over expired / damaged products. Reduce administration cost i.e., cost of reconciliation of sales, inventories etc. Reduce errors, both intentional and unintentional. Effective inventory planning. Increased motivation level of sales team.

Page 1 of 7

System Analyst SW Developer Tape Librarian DB Admin Security Admin Network Admin Help Desk Officer Data Entry Operator

(b)

Legend: OK = Compatible function (i)

OK X OK X OK X OK

OK X X X X X X

OK X X X OK

X X

OK X OK OK X X X

X X X OK OK OK X

OK X X X OK X X

X X X X OK X X

If the role of Software Developer (SD) is to be combined with the role of Database Administrator (DBA), following compensating controls could be implemented: (ii)

X=

Incompatible function

(iii) (iv) (v)

Authorization: Mandatory written authorization from supervisory level for every change or amendment in the application program/database structure/database permissions. User Logs/Audit Trails: Generating complete un-editable log of DBAs activities. Such logs should not be accessible to DBA and SD and should be reviewed periodically by a supervisory authority. Exception reporting: Configure exception reports or alerts for activities other than normal, like overriding database default controls, mismatch application program version etc. These reports should be handled at the supervisory level on priority basis and should require evidence, such as initials on a report, noting that the exception has been handled properly. Supervisory reviews: Besides reviewing various logs, other supervisory reviews may also be performed through observation, inquiry and test checks etc. Independent reviews: Independent reviews may be carried out by internal or external auditor etc.

Page 2 of 7

Data Entry Operator OK X OK X X X X

SW Developer

DB Admin

Help Desk Officer

Tape Librarian

Ans.2

(a)

Separation of Duties Matrix

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examinations Summer 2011

Network Admin

Security Admin

System Analyst

Ans.3

(a)

In Passive Attack network information is gathered by probing/observing various activities performed through the network. When the attack is actually launched (either using the information gained through passive attack or otherwise) it is called Active Attack. (i) Examples of passive attacks are as follows: Network Threat Eavesdropping The attacker gathers the information flowing through the network. Such information may include emails, passwords and in some cases keystrokes, in real time. (ii) Traffic The attacker determines the nature of traffic flow between defined analysis hosts and through an analysis of session length, frequency and message length. Such analysis enables the attacker to guess the type of communication taking place even if it is encrypted. (iii) Network Initially the attacker uses a combination of tools and techniques to analysis / foot build a repository of information about a particular companys printing internal network. Later, the attacker focuses on systems within the targeted address space that responded to these network queries when targeting a system for actual attack. Once a system has been targeted, the attacker scans the systems ports to determine what services and operating system are running on the targeted system, possibly revealing vulnerable services that could be exploited. Examples of active attacks are as follows: (i) (ii) Network Threat Denial-ofservice Masquerading The attacker impersonates as an authorized user and thereby gains certain unauthorized privileges. It occurs when a computer connected to the Internet is flooded with data and/or requests that must be serviced. The machine becomes so tied up with these messages that it is rendered useless. The attacker launches an attack using any of the password breaking tools. Explanation Explanation

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examinations Summer 2011

(b)

(iii) Brute-force attack

Primary functions of a firewall are as follows: (i) Allows only authorized traffic to pass. (ii) Keeps information related to all access attempts undertaken. Different types of firewalls are described below:

Router Packet Filtering Such firewalls are essentially routers operating at OSI layer 3, using set access control lists (ACLs). Decisions are made to allow or disallow traffic based on the source and destination IP address, protocol and port number. Such type of firewalls can compare the header information in packets only against their rules. As a result they provide relatively low security as compared to other options.

Stateful Inspection They keep track of all packets through all OSI layers until that communication session is closed. It tracks communication (or sessions) from both internal and external sources. The rules are changed dynamically when an outbound connection is established to enable packets from the destination IP address to return back to origin. All other traffic is stopped from reaching origin computer, protecting it from dangers of the Internet.
Page 3 of 7

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examinations Summer 2011

Ans.4

I would like to ask the following questions to assess the privacy risks being faced by MH: (i) (ii) (iii) (iv) (v) (vi) (vii)

Application Firewall Such firewalls manage conversations between hosts, acting as an intermediary at the application level of the OSI model. All packets passing to the network are delivered through the proxy, which is acting on behalf of the receiving computer. The communication is checked for access authorization according to a rule-base and then passed on to the receiving system or discarded. The proxy receives each packet, reviews it, and then changes the source address to protect the identity of the receiving computer before forwarding. Proxy firewalls can look at all the information in the packet (not just header) all the way to the application layer. They provide greatest degree of protection and control because they inspect all seven OSI layers of network traffic.

(viii) (ix) (x) (xi) Ans.5 (xii) 1.

What type of personal information does MH collect? What are MHs privacy policies and procedures with respect to collection, use, retention, destruction, and disclosure of personal information? What privacy laws and regulations impact MH? Are the policies revised in line with the revision in such regulations? Are the privacy policies properly circulated and signed off by all the employees? Has MH assigned responsibility and accountability for managing a privacy program? What measures have been incorporated in the computer systems to ensure compliance with the privacy laws? In case any personal information collected by MH is disclosed to third parties, what safeguards and controls are applied? History of privacy breaches and action taken there off. Are employees properly trained in handling privacy issues and concerns? Is compliance with privacy policy being monitored at appropriate levels? Does MH conduct periodic assessment to ensure that privacy policies and procedures are being followed? Does MH have adequate resources to develop, implement, and maintain an effective privacy program? Document and Details of management strategies and plans like: o IT objectives /targets o Long term/short term plans o Required resources Target Information Purpose for which the information would be used Weather IT strategy is aligned with business strategy. Assessing effectiveness of long term planning. Assessing adequacy of requirement analysis. Assessing effectiveness of capacity management. Assessing the adequacy of budget. Instances of budget overruns. Assessing effectiveness of resource utilisation.

IT strategies plans

2.

IT budgets

Allocated funds / Comparison of actual fund utilised last year with allocated funds Details of cost of procurement, and other recurring costs.

Page 4 of 7

3.

Security policy

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examinations Summer 2011 Details of security plans and standards introduced by the management.

4.

5.

Business Continuity Evidence of the process of Plan risk assessment. Disaster recovery procedures and plan Evidence of testing and updation. List of key persons. Organizational Management reporting structure of IT lines department Structure of segregation of duties

Assess whether the security policy is comprehensive enough to cater to all current and anticipated risks (adequacy of controls). Assessing whether regular updation and documentation of key policies is being carried out. Assess effectiveness and adequacy of plan. Assess adequacy of procedures. Assess the level of awareness among the staff regarding their roles and responsibilities. Identify persons responsible for the safeguarding of IT assets Identify possible conflicting duties Identify possible reliance on one or two key personnel or lack of succession plans.

Ans.6

BSL should consider the following key factors before entering into hot site agreement with SL: (i) (ii) (iii) (iv) (v)

(vi)

(vii) (ix) (x) (xi)

(viii)

(xii)

(xiii) (xiv)

Configuration: are the SLs hardware and software configurations adequate to meet BSL needs? Disaster: Is the definition of disaster agreed by SL broad enough to meet anticipated needs of BSL? Environmental/Social/Political Risk: If BSL and SL are at significantly different locations, they may have different level and nature of environmental/social/political risks. Speed of Availability: How soon after the disaster, will facilities be available to BSL? How much advance notice is required for using the facility? Number of Subscribers: Does SL define any limit to the number of subscribers at the facility offered to BSL? Preference: Does SL agree to give BSL preference if there is a common or regional disaster? Is there any backup of the hot site offered by SL? Does the SL have more than one facility available for its clients? Insurance: Is there adequate insurance coverage for BSLs employees at the SLs site? Will existing insurance company of BSL reimburse those fees? Usage Period: For how long SLs facility would remain available for use? Would it remain available for an adequate time? Are there certain times of the year, month etc when SLs facilities are not available? Technical Support: What kind of technical support will SL provide? Does it seem adequate? Communications: Are the communication connections to the SLs site sufficient to permit unlimited communication with it, if needed? Warranties: The type of warranties that would be provided by SL regarding availability of the site and the adequacy of facilities? Confidentiality Measures / Controls: Are there adequate controls implemented by SL to ensure confidentiality of BSLs data? Audit: Is there a right-to-audit clause in the contract, permitting an audit of the site to evaluate logical, physical and environmental security? Testing: IS SL ready to allow periodic testing of its facility and equipments?
Page 5 of 7

Ans.7

(a)

The rapid growth witnessed by GCL may have significantly changed the companys IT Governance structure. On account of any one or more of the following reasons the management could have been inclined to hire a senior person: (i) (ii)

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examinations Summer 2011

(b)

(iii)

GCL may obtain following advantages after hiring a senior person with the sole responsibility of strategic planning, development and monitoring of IT function: (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) (ix) Aligning the IT objectives with the business objectives. Better and more effective controls on costs and wastages. More efficient use of resources. More effective risk management policies. Better documentation. Better policies related to staff motivation and retention. Better compliance of internal policies/procedures and external regulations. Improved incident reporting and handling. Improved Business Continuity Planning.

The requirement of IT facilities such as manpower, hardware and software etc may have increased significantly resulting in higher costs and their significance for the company requiring closer monitoring. The companys processes and functions may have become more complex involving higher risk and therefore requiring implementation of additional and more advanced controls. The companys reliance on IT systems may have increased and therefore enhancing the need for Business Continuity Planning.

Ans.8

I would look for the following controls while reviewing the GIs application: (i)

Internet encryption processes put in place to assure authenticity, integrity, confidentiality and non repudiation of transactions. (ii) Edit checks to identify erroneous, unusual or invalid transactions prior to updating the application. (iii) Additional computerized checking to assess reasonableness and validity of the transactions. (iv) Assess whether all inbound/outbound transaction are being logged. (v) Check whether total number and value of transactions as reported by various branches are being reconciled with the totals communicated by GI. (vi) Segment count totals built into the transactions set trailer by the sender. (vii) The system has inbuilt controls whereby amounts remitted but not acknowledged by SBL within a specified time are investigated by GI. (viii) Any change in GIs receiving centres details are duly approved and promptly documented. (ix) Receiving centres code is matched automatically by the system with the approved list, prior to each transaction. (x) Approval limits have been assigned to the concerned users and are verified by the system before executing each transaction. (xi) Initiation, approval and transmission responsibilities for high risk transactions are appropriately segregated. (xii) Management sign-off on programmed procedures and subsequent changes are appropriately documented. (xiii) Reporting of large value or unusual transactions for review, prior to or after transmission. (Exception reporting)
Page 6 of 7

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examinations Summer 2011 Ans.9 (a) (b) (c) (d) Project performance (i) Ratio of projects completed on time. (ii) Ratio of projects completed within budget. (iii) Ratio of projects meeting functionality requirements. / Users satisfaction rating.

IT operational support (i) Average time taken to respond to customers complaints. (ii) Ratio of number of problem reported and resolved/unresolved. (iii) Percentage of customers satisfaction over support services. (through survey form) IT infrastructure availability (i) Number of system downtime (per unit time i.e. per hour, per day, per week etc.) (ii) Mean time between failures. (iii) Number of customers complaints about non-availability of online facilities. IT security environment (i) Percent increase/decrease in security breaches/incidents reported. (ii) Mean time to resolve critical security issues. (iii) Level of customers awareness of risks and controls. (through survey form) (THE END)

Page 7 of 7